jumpserver 堡垒机搭建

2023-01-06

Jumpserver 开源堡垒机搭建
- 实现开发、运维登陆内部服务器,方便管理

部署步骤
- 环境介绍
- 安装部署
- 跨区域分布式

1.0 环境介绍

主机名	IP地址	域名
sa-vm-jms-10-128	172.16.10.128	jms.ink8s.com
sa-vm-test-10-126	172.16.10.126	——
sa-ali-jms	47.112.161.x	——

2.0 安装部署

2.1 基础包安装

包安装

# 阿里repo仓库
rm -f /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum -y install epel-release

# 基础包安装
yum -y install vim wget gcc git

# jumpserver 依赖于redis
yum -y install redis
sed -i '480c requirepass pass' /etc/redis.conf
systemctl start redis && systemctl enable redis

2.2 安装maridb数据库

yum -y install mariadb mariadb-devel mariadb-server MariaDB-shared
systemctl start mariadb && systemctl enable mariadb
mysql_secure_installation
Enter current password for root (enter for none):           # 无密码,直接回车
Set root password? [Y/n] Y
New password: 
Re-enter new password: 
mysql -uroot -ppass -A                                      # 用来登陆
MariaDB [(none)]> create database jumpserver default charset 'utf8';

2.3 安装python 3,建立python虚拟环境

python3.6安装

1 2	yum -y update python python-devel yum -y install python36 python36-devel

jumpserver 下载

wget https://github.com/jumpserver/jumpserver/archive/v2.1.0.tar.gz               # 源码 2.1.0
tar -xf v2.1.0.tar.gz 
mv jumpserver-2.1.0 /usr/local/jumpserver
yum -y install $(cat /usr/local/jumpserver/requirements/rpm_requirements.txt)

建立虚拟环境

cd /usr/local/
python3.6 -m venv py3                                                             # 创建虚拟环境
source /usr/local/py3/bin/activate                                                # 开启虚拟环境
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/   # 升级pip
# 如安装报错缺乏依赖,直接手动pip install 依赖包。然后再重新执行此行命令直到完成安装
pip install -r /usr/local/jumpserver/requirements/requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

更改Jumpserver配置

cd /usr/local/jumpserver
cp config_example.yml config.yml
SECRET_KEY=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50)
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16)
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
cat ~/.bashrc
    # SECRET_KEY=YaOIm1WxJqriaY8ir3WExkQA3b77E869Am4c6nChB37d65LTQ8
    # BOOTSTRAP_TOKEN=6Un1VIwaP5CZPVmp

# vim config.yml
4 SECRET_KEY: YaOIm1WxJqriaY8ir3WExkQA3b77E869Am4c6nChB37d65LTQ8
8 BOOTSTRAP_TOKEN: 6Un1VIwaP5CZPVmp
12 DEBUG: false
16 LOG_LEVEL: ERROR
22 SESSION_EXPIRE_AT_BROWSER_CLOSE: true
37 DB_USER: root
38 DB_PASSWORD: pass
52 REDIS_PASSWORD: pass

启动Jumpserver

1 2	# ./jms start -d # ./jms start \| stop \| status \| all

2.4 coco jms_guacamole安装

安装docker环境

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce
systemctl enable docker
mkdir -p /etc/docker
wget -O /etc/docker/daemon.json http://demo.jumpserver.org/download/docker/daemon.json
systemctl restart docker

运行coco和jms_guacamole

1
2
3

docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://172.16.10.128:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e LOG_LEVEL=ERROR --restart=always jumpserver/jms_koko:2.1.0
docker run --name jms_guacamole -d -p 127.0.0.1:8081:8080 -e JUMPSERVER_SERVER=http://172.16.10.128:8080 -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN -e GUACAMOLE_LOG_LEVEL=ERROR --restart=always jumpserver/jms_guacamole:2.1.0
docker ps

2.5 Jumpserver前端安装

cd /usr/local/
wget https://demo.jumpserver.org/download/luna/v2.1.0/luna-v2.1.0.tar.gz
tar -xf luna-v2.1.0.tar.gz
mv luna-v2.1.0 luna
chown -R root:root luna

wget https://demo.jumpserver.org/download/lina/v2.1.0/lina-v2.1.0.tar.gz
tar -xf lina-v2.1.0.tar.gz 
mv lina-v2.1.0 lina
chown -R root.root lina

nginx配置

yum -y install nginx
systemctl enable nginx
mkdir -p /etc/nginx/conf.d/vweb/
# vim /etc/nginx/nginx.conf
 36     #include /etc/nginx/conf.d/*.conf;
 37     include /etc/nginx/conf.d/vweb/*.conf;
# 注释掉server段

// jumpserver nginx 2.1.0 配置文件: https://demo.jumpserver.org/download/nginx/conf.d/2.1.0/
# vim /etc/nginx/conf.d/vweb/jumpserver.conf
server {
    listen	  80;
    server_name   jms.ink8s.com;

    # http 301跳转到https
    return        301 https://$server_name$request_uri;
}

server {
    listen        443 ssl http2 default_server;
    listen        [::]:443 ssl http2 default_server;
    server_name   jms.ink8s.com;

    # https证书配置
    ssl_certificate "/etc/nginx/conf.d/cert/jms.ink8s.com.pem";
    ssl_certificate_key "/etc/nginx/conf.d/cert/jms.ink8s.com.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;


    server_tokens off;
    ssl_protocols TLSv1.2;
 
    client_max_body_size 100m;
 
    location /ui/ {
        try_files $uri / /index.html;
        alias /usr/local/lina/;
        expires 24h;
    }
 
    location /luna/ {
        try_files $uri / /index.html;
        alias /usr/local/luna/;
        expires 24h;
    }
 
    location /media/ {
        add_header Content-Encoding gzip;
        root /usr/local/jumpserver/data/;
    }
 
    location /static/ {
        root /usr/local/jumpserver/data/;
        expires 24h;
    }
 
    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #access_log off;
    }
 
    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #access_log off;
    }
 
    location /ws/ {
    proxy_pass http://localhost:8070;
    proxy_buffering off;
        proxy_http_version 1.1;
    proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
 
    location /api/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8080;
    }
 
    location /core/ {
    proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8080;
    }
 
    location / {
        rewrite ^/(.*)$ /ui/$1 last;
    }
}
# systemctl restart nginx

3.0 web配置

3.1 web页面配置

登陆web

1 2	https://jms.ink8s.com 默认用户名密码: admin:admin

3.2 用户类型

登录用户: 登录jms账号的用户,可将用户分配到组方便管理,可接入OpenLDAP
系统用户: 堡垒机跳转到服务器的用户,jms会将系统用户推送到每台服务器客户端上
管理用户: 服务器的所有操作权


ssh-keygan -t rsa
sz /root/.ssh/id_rsa

upload successful

3.3 添加资产

下发秘钥

1 2	ssh-copy-id 172.16.10.128 ssh-copy-id 172.16.10.129

upload successful

3.4 添加系统用户

upload successful

3.5 资产授权

upload successful

本文作者： [email protected]
本文链接： https://www.ink8s.com/2023/01/06/jumpserver-堡垒机搭建/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！