jumpserver 堡垒机搭建

jumpserver 堡垒机搭建
  • jumpserver版本: 1.5.2-2
  • WEB服务: TOMCAT 9
  • pyhton版本: python 3.6
  • web服务: openresy 1.15
  • 系统使用 centos 7.4
  • 数据库: mariadb

简单使用

*	安装完成后,登录地址为:http://ip  用户名/密码:admin/admin/a
*	登录登录查询终端中.两个终端为绿色,一个为ssh,一个windowns使用
*	windows远程只能网页终端.linux 可使用ssh远程操作
*   创建管理用户->系统用户->创建资产->授权用户->登录测试
*	ssh登录 : ssh 用户名@服务器ip -p 端口(未修改端口为:2222)  例;ssh [email protected] -p 2222  输入密码即可
*	详细使用教程请到jumpserver官网查看

##备注
* 该文档使用版本为固定版本,只需拉取项目做,安装好依赖便直接可以启动使用;
* 原项目中使用COCO改用GO语语COCO与进行编译打包好,进行配置即可启动使用;
* 使用文档请到正版本作者下查看;
* 文中所代码均为搭建测试使用;
* 系统使用到java
* 使用数据库名: jumpserver 用户名: jumpserver 密码: aa123456

安装开始

*	关闭系统selinux 为disable

临时关闭slelinux

setenforce 0

永久关才selinux

sed -i “s/enforcing/disabled/g” /etc/selinux/config

安装前更新一下系统所有包

yum -y update

安装必要系统包

yum -y install wget gcc epel-release git python36 python36-devel redis mariadb mariadb-devel mariadb-server

安装RDP远程依赖包

mkdir /usr/local/lib/freerdp/
ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
yum -y install java-1.8.0-openjdk libtool cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript

启动redis,mysqlo数据库/开机启动

systemctl start redis
systemctl enable redis
systemctl start mariadb
systemctl enable mariadb

创建数据库jumpserver数据库并授权用户名

* 	登录数据库:		mysql -uroot
*	创建数据库:		create database jumpserver default charset 'utf8';
*	授权用户:		grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'aa123456';
*	生效:			flush privileges;

创建项目总目录jump

mkdir /jump
cd /jump

创建python3 虚拟环境

python3.6 -m venv py

启用python3 虚拟环境

source /jump/py/bin/activate

进入目录拉取jumpserver/koko/guacamole

git clone https://git.dev.tencent.com/wolfwolf/jumpserver.git
git clone https://git.dev.tencent.com/wolfwolf/koko.git
git clone https://git.dev.tencent.com/wolfwolf/guacamole.git

进入到jumpserver 后面管理目录

*	安装rpm依赖
*	安装python依赖
*	启动服务查看是否正常
* 	必须在python虚拟机下启动
*	启动jms服务加-d后台运行

cd /jump/jumpserver
yum install -y $(cat /jump/jumpserver/requirements/rpm_requirements.txt)
pip install -r /jump/jumpserver/requirements/requirements.txt
cp /jump/jumpserver/config.yml_bak /jump/jump/jumpserver/config.yml
mkdir /jump/jumpserver/tmp
rm -rf /jump/jumpserver/data/*
./jms start all -d

进入到koko目录

*	安装python依赖
*	启动服务
*   后台运行添 & 符号
* 	并将luna解压并授权

cd /jump/koko
rm -rf /jump/koko/data/*
/jump/koko/koko >>/jump/koko/logs/koko.log &
tar xf luna.tar.gz -C /jump/
chown root:root /jump/luna

进入 guacamole windows远程功能

*	安装guacamole-server 服务
*	将服务安到/etc/init.d/ 下
*	解压 linux-amd64.tar.gz -C /bin/ 并授权执行权限
* 	添加必要用户环境变量
* 	启动应用

cd /jump/guacamole
tar xf docker-gucamole.tar.gz
tar xf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make && make install
mkdir /jump/guacamole/lib
ldconfig
tar xf /jump/guacamole/linux-amd64.tar.gz -C /bin
chmod +x /bin/ssh-forward
rm -rf /jump/guacamole/keys/*
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo “export JUMPSERVER_SERVER=http://127.0.0.1:8080” >> ~/.bashrc
export BOOTSTRAP_TOKEN=aa123456
echo “export BOOTSTRAP_TOKEN=aa123456” >>~/.bashrc
export JUMPSERVER_KEY_DIR=/jump/guacamole/keys
echo “export JUMPSERVER_KEY_DIR=/jump/guacamole/keys” >>~/.bashrc
export GUACAMOLE_HOME=/jump/guacamole
echo “export GUACAMOLE_HOME=/jump/guacamole” >>~/.bashrc

启动应用

/etc/init.d/guacd start #关闭stop
sh /jump/guacamole/tomcat9/bin/startup.sh #关闭shutdown.sh

安装nginx

* 	使用Openresty 
*	导入配置
*	创建web启动用户

下载openresty源码/解压/编译/安装

wget https://openresty.org/download/openresty-1.15.8.1.tar.gz && tar xf openresty-1.15.8.1.tar.gz && cd openresty-1.15.8.1 && ./configure && make && make install
ln -sf /usr/local/openresty/nginx/sbin/nginx /bin/nginx

创建用启

useradd deploy

导入配置文件

cat >/usr/local/openresty/nginx/conf/nginx.conf << EOF
user deploy;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - r e m o t e u s e r [ remote_user [ remoteuser[time_local] “KaTeX parse error: Expected 'EOF', got '#' at position 16: request" ' #̲ …status b o d y b y t e s s e n t " body_bytes_sent " bodybytessent"http_referer” ’
# ‘“ h t t p u s e r a g e n t " " http_user_agent" " httpuseragent""http_x_forwarded_for”’;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
server_name localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	location /luna/ {
		try_files \$uri / /index.html;
		alias /jump/luna/;  # luna 路径,如果修改安装目录,此处需要修改
	}
	location /media/ {
		add_header Content-Encoding gzip;
		root /jump/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
	}
	location /static/ {
		root /jump/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
	}
	location /socket.io/ {
		proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
		proxy_buffering off;
		proxy_http_version 1.1;
		proxy_set_header Upgrade \$http_upgrade;
		proxy_set_header Connection "upgrade";
	}
	location /coco/ {
		proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
		proxy_set_header X-Real-IP \$remote_addr;
		proxy_set_header Host \$host;
		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
		access_log off;
	}
	location /guacamole/ {
		proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
		proxy_buffering off;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
		proxy_set_header Upgrade \$http_upgrade;
		proxy_set_header Connection \$http_connection;
		access_log off;
		client_max_body_size 100m;  # Windows 文件上传大小限制
	}

	location / {
		proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
	}


}

}
EOF

启动nginx

nginx # -t 检测配置文件是否有问题 -s reload 动态加载

你可能感兴趣的:(jumpserver 堡垒机搭建)