jumpserver堡垒机部署

@环境
    #系统:CentOS 7
    #systemctl stop firewalld
    #systemctl disable firewalld
    #setenforce 0
    #sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    #wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    #yum clean all
    #yum makecache
@准备Python3和python虚拟环境
    #安装依赖包
        #yum -y install wget gcc epel-release git
    #安装Python3.6
        #yum -y install python36 python36-devel
    #建立Python虚拟环境
        # cd /data
        python3.6 -m venv py3
        source /data/py3/bin/activate
@安装jumpserver
    #下载或clone项目
        #cd /data/ && git clone --depth=1 https://github.com/jumpserver/jumpserver.git
    #安装依赖rpm包
        #cd /data/jumpserver/requirements
        yum -y install $(cat rpm_requirements.txt)
    #安装Python库依赖
        #pip install --upgrade pip setuptools
        pip install -r requirements.txt
    #安装redis
        #yum -y install redis
        systemctl enable redis
        systemctl start redis
    #安装mariadb
        #yum -y install mariadb mariadb-devel mariadb-server mariadb-shared
         systemctl enable mariadb
         systemctl start mariadb
    #创建数据看看jumpserver并授权
        #DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
        echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
        mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
    #修改jumpserver配置文件
        #cd /data/jumpserver
        cp config_example.yml config.yml
        SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  # 生成随机SECRET_KEY
        echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
        BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  # 生成随机BOOTSTRAP_TOKEN
        echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
        sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/config.yml
        sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/config.yml
        sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/config.yml
        sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/config.yml
        sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/config.yml
        sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/config.yml
        echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
        echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
 
        vi config.yml  # 确认内容有没有错误
        SECRET_KEY:
        # 预共享Token coco和guacamole用来注册服务账号, 不在使用原来的注册接受机制
        BOOTSTRAP_TOKEN:
        # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
        DEBUG: false
        # 日志级别
        LOG_LEVEL: ERROR
        SESSION_EXPIRE_AT_BROWSER_CLOSE: true
        # 使用Mysql作为数据库
        DB_ENGINE: mysql
        DB_HOST: 127.0.0.1
        DB_PORT: 3306
        DB_USER: jumpserver
        DB_PASSWORD:
        DB_NAME: jumpserver
        # 运行时绑定端口
        HTTP_BIND_HOST: 0.0.0.0
        HTTP_LISTEN_PORT: 8080
        # Redis配置
        REDIS_HOST: 127.0.0.1
        REDIS_PORT: 6379
    #运行jumpserver
        #cd /data/jumpserver
        ./jms start all -d
@安装 SSH Server 和 WebSocket Server: Coco
    #下载或 Clone 项目
        #cd /data
        source /data/py3/bin/activate
        git clone --depth=1 https://github.com/jumpserver/coco.git
    #安装依赖
        #cd /data/coco/requirements
        yum -y install $(cat rpm_requirements.txt)
        pip install -r requirements.txt
    #修改配饰文件并运行
        #cd /data/coco
        cp config_example.yml config.yml
 
        sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/coco/config.yml
        sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /data/coco/config.yml
 
        vi config.yml
        CORE_HOST: http://127.0.0.1:8080
        BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>
        LOG_LEVEL: ERROR
 
        ./cocod start -d
@安装 Web Terminal 前端: Luna
    #解压luna
        #cd /data
        tar xf luna.tar.gz
        chown -R root:root luna
@安装 Windows 支持组件(如果不需要管理 windows 资产, 可以直接跳过这一步)
    #安装依赖
        #yum install -y java-1.8.0-openjdk libtool
        #yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
        #yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript
    #编译安装 guacamole 服务
        #cd /data
        #git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
        #cd /data/docker-guacamole/
        #tar -xf guacamole-server-0.9.14.tar.gz
        #cd guacamole-server-0.9.14
        #autoreconf -fi
        #./configure --with-init-dir=/etc/init.d
        #make && make install
        #ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
        #cd ..
        #rm -rf guacamole-server-0.9.14
        #ldconfig
    #配置Tomcat
        #mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions  # 创建 guacamole 目录
        #ln -sf /data/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
        #ln -sf /data/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties  # guacamole 配置文件
        #cd /config
        #tar xf apache-tomcat-8.5.40.tar.gz
        #rm -rf apache-tomcat-8.5.40.tar.gz
        #mv apache-tomcat-8.5.40 tomcat8
        #rm -rf /config/tomcat8/webapps/*
        #ln -sf /data/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war  # guacamole client
        #sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml  # 修改默认端口为 8081
        #sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties  # 修改 log 等级为 WARNING
        #cd /config
        #tar xf linux-amd64.tar.gz -C /bin/
        #chmod +x /bin/ssh-forward
@配置环境变量
    #勿多次执行以下环境设置
        #export JUMPSERVER_SERVER=http://127.0.0.1:8080  # http://127.0.0.1:8080 指 jumpserver 访问地址
        #echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
        #BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN
        #export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
        #echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
        #export JUMPSERVER_KEY_DIR=/config/guacamole/keys
        #echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
        #export GUACAMOLE_HOME=/config/guacamole
        #echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
@启动 Guacamole
    #/etc/init.d/guacd start
    #sh /config/tomcat8/bin/startup.sh
@配置 Nginx 整合各组件
    #安装 Nginx
        #yum install yum-utils
        vi /etc/yum.repos.d/nginx.repo
 
       [nginx-stable]
       name=nginx stable repo
       gpgcheck=1
       enabled=1
 
       yum makecache fast
       yum install -y nginx
       rm -rf /etc/nginx/conf.d/default.conf
       systemctl enable nginx
    #准备配置文件 修改 /etc/nginx/conf.d/jumpserver.conf
    #vi /etc/nginx/conf.d/jumpserver.conf
 
server {
    listen 80;  # 代理端口, 以后将通过此端口进行访问, 不再通过8080端口
    # server_name demo.jumpserver.org;  # 修改成你的域名或者注释掉
 
    client_max_body_size 100m;  # 录像及文件上传大小限制
 
    location /luna/ {
        try_files $uri / /index.html;
        alias /data/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }
 
    location /media/ {
        add_header Content-Encoding gzip;
        root /data/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }
 
    location /static/ {
        root /data/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }
 
    location /socket.io/ {
        proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location /coco/ {
        proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location /guacamole/ {
        proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器, 请填写它的ip
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }
 
    location / {
        proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器, 请填写它的ip
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
    #运行nginx
        #nginx -t   # 确保配置没有问题, 有问题请先解决
  systemctl start nginx
  systemctl enable nginx
    #开始使用 Jumpserver
        #默认账号: admin 密码: admin
 
 
 
 
 
posted @ 2019-06-12 14:00  幽灵鸟  阅读(2292)  评论(0编辑  收藏  举报