jumpserver 堡垒机搭建
* 安装完成后,登录地址为:http://ip 用户名/密码:admin/admin/a
* 登录登录查询终端中.两个终端为绿色,一个为ssh,一个windowns使用
* windows远程只能网页终端.linux 可使用ssh远程操作
* 创建管理用户->系统用户->创建资产->授权用户->登录测试
* ssh登录 : ssh 用户名@服务器ip -p 端口(未修改端口为:2222) 例;ssh [email protected] -p 2222 输入密码即可
* 详细使用教程请到jumpserver官网查看
##备注
* 该文档使用版本为固定版本,只需拉取项目做,安装好依赖便直接可以启动使用;
* 原项目中使用COCO改用GO语语COCO与进行编译打包好,进行配置即可启动使用;
* 使用文档请到正版本作者下查看;
* 文中所代码均为搭建测试使用;
* 系统使用到java
* 使用数据库名: jumpserver 用户名: jumpserver 密码: aa123456
* 关闭系统selinux 为disable
setenforce 0
sed -i “s/enforcing/disabled/g” /etc/selinux/config
yum -y update
yum -y install wget gcc epel-release git python36 python36-devel redis mariadb mariadb-devel mariadb-server
mkdir /usr/local/lib/freerdp/
ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
yum -y install java-1.8.0-openjdk libtool cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript
systemctl start redis
systemctl enable redis
systemctl start mariadb
systemctl enable mariadb
* 登录数据库: mysql -uroot
* 创建数据库: create database jumpserver default charset 'utf8';
* 授权用户: grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'aa123456';
* 生效: flush privileges;
mkdir /jump
cd /jump
python3.6 -m venv py
source /jump/py/bin/activate
git clone https://git.dev.tencent.com/wolfwolf/jumpserver.git
git clone https://git.dev.tencent.com/wolfwolf/koko.git
git clone https://git.dev.tencent.com/wolfwolf/guacamole.git
* 安装rpm依赖
* 安装python依赖
* 启动服务查看是否正常
* 必须在python虚拟机下启动
* 启动jms服务加-d后台运行
cd /jump/jumpserver
yum install -y $(cat /jump/jumpserver/requirements/rpm_requirements.txt)
pip install -r /jump/jumpserver/requirements/requirements.txt
cp /jump/jumpserver/config.yml_bak /jump/jump/jumpserver/config.yml
mkdir /jump/jumpserver/tmp
rm -rf /jump/jumpserver/data/*
./jms start all -d
* 安装python依赖
* 启动服务
* 后台运行添 & 符号
* 并将luna解压并授权
cd /jump/koko
rm -rf /jump/koko/data/*
/jump/koko/koko >>/jump/koko/logs/koko.log &
tar xf luna.tar.gz -C /jump/
chown root:root /jump/luna
* 安装guacamole-server 服务
* 将服务安到/etc/init.d/ 下
* 解压 linux-amd64.tar.gz -C /bin/ 并授权执行权限
* 添加必要用户环境变量
* 启动应用
cd /jump/guacamole
tar xf docker-gucamole.tar.gz
tar xf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make && make install
mkdir /jump/guacamole/lib
ldconfig
tar xf /jump/guacamole/linux-amd64.tar.gz -C /bin
chmod +x /bin/ssh-forward
rm -rf /jump/guacamole/keys/*
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo “export JUMPSERVER_SERVER=http://127.0.0.1:8080” >> ~/.bashrc
export BOOTSTRAP_TOKEN=aa123456
echo “export BOOTSTRAP_TOKEN=aa123456” >>~/.bashrc
export JUMPSERVER_KEY_DIR=/jump/guacamole/keys
echo “export JUMPSERVER_KEY_DIR=/jump/guacamole/keys” >>~/.bashrc
export GUACAMOLE_HOME=/jump/guacamole
echo “export GUACAMOLE_HOME=/jump/guacamole” >>~/.bashrc
/etc/init.d/guacd start #关闭stop
sh /jump/guacamole/tomcat9/bin/startup.sh #关闭shutdown.sh
* 使用Openresty
* 导入配置
* 创建web启动用户
wget https://openresty.org/download/openresty-1.15.8.1.tar.gz && tar xf openresty-1.15.8.1.tar.gz && cd openresty-1.15.8.1 && ./configure && make && make install
ln -sf /usr/local/openresty/nginx/sbin/nginx /bin/nginx
useradd deploy
cat >/usr/local/openresty/nginx/conf/nginx.conf << EOF
user deploy;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - r e m o t e u s e r [ remote_user [ remoteuser[time_local] “KaTeX parse error: Expected 'EOF', got '#' at position 16: request" ' #̲ …status b o d y b y t e s s e n t " body_bytes_sent " bodybytessent"http_referer” ’
# ‘“ h t t p u s e r a g e n t " " http_user_agent" " httpuseragent""http_x_forwarded_for”’;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
server_name localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /luna/ {
try_files \$uri / /index.html;
alias /jump/luna/; # luna 路径,如果修改安装目录,此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /jump/jumpserver/data/; # 录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /jump/jumpserver/data/; # 静态资源,如果修改安装目录,此处需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安装在别的服务器,请填写它的ip
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安装在别的服务器,请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
access_log off;
client_max_body_size 100m; # Windows 文件上传大小限制
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器,请填写它的ip
}
}
}
EOF
nginx # -t 检测配置文件是否有问题 -s reload 动态加载