本次部署基于官方文档总结,点击查看官方文档

组件说明

  • Jumpserver 为管理后台, 管理员可以通过 Web 页面进行资产管理、用户管理、资产授权等操作, 用户可以通过 Web 页面进行资产登录, 文件管理等操作

  • koko 为 SSH Server 和 Web Terminal Server 。用户可以使用自己的账户通过 SSH 或者 Web Terminal 访问 SSH 协议和 Telnet 协议资产

  • Luna 为 Web Terminal Server 前端页面, 用户使用 Web Terminal 方式登录所需要的组件

  • Guacamole 为 RDP 协议和 VNC 协议资产组件, 用户可以通过 Web Terminal 来连接 RDP 协议和 VNC 协议资产 (暂时只能通过 Web Terminal 来访问)

端口配置

  • Jumpserver 默认 Web 端口为 8080/tcp, 默认 WS 端口为 8070/tcp, 配置文件 jumpserver/config.yml
  • koko 默认 SSH 端口为 2222/tcp, 默认 Web Terminal 端口为 5000/tcp 配置文件在 koko/config.yml
  • Guacamole 默认端口为 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
  • Nginx 默认端口为 80/tcp,443/tcp
  • Redis 默认端口为 6379/tcp
Protocol Server name IP Port
TCP Jumpserver 172.100.0.1(容器网络对应IP) 8070(ws), 8080(http)
TCP koko 172.100.0.2(容器网络对应IP) 2222, 5000
TCP Guacamole 172.100.0.3(容器网络对应IP) 8081
TCP sqlite3 db路径:/data/jumpserver/jumpserver/jumpserver.db
TCP Redis 127.0.0.1 6379
TCP Nginx 0.0.0.0 80,443

组件安装配置

Redis配置

yum -y install redis
# 修改 redis 配置文件
vim /etc/redis.conf

...
bind 127.0.0.1  # 注释这行, 新增如下内容
requirepass weakPassword  # redis 连接密码
maxmemory-policy allkeys-lru  # 清理策略, 优先移除最近未使用的key
...

systemctl enable redis
systemctl start redis
systemctl status redis

sqlite3配置

# SQLite 需要 3.8.3 或者最新版本,Centos7 默认版本 3.7.17 需要升级
cd /usr/local/src
wget https://www.sqlite.org/2019/sqlite-autoconf-3300100.tar.gz
tar  zxvf sqlite-autoconf-3300100.tar.gz
/usr/local/bin/sqlite3 -V
ln -s /usr/local/bin/sqlite3 /usr/bin/sqlite3
sqlite3 --version

ln -s /usr/local/lib/libsqlite3.so /usr/lib/libsqlite3.so


vim ~/.bashrc
export LD_LIBRARY_PATH="/usr/local/lib"
source ~/.bashrc

#生成jumpserver需要的sqlite文件
cd /data/jumpserver/jumpserver
sqlite3 jumpserver.db

Jumpserver 配置

#安装 Python3.6
$ yum -y install python36 python36-devel

#配置并载入 Python3 虚拟环境
$ cd /data/jumpserver/
$ python3.6 -m venv py3_venv# py3 为虚拟环境名称, 可自定义
$ source py3_venv/bin/activate  # 激活python虚拟环境,退出虚拟环境可以使用 deactivate 命令

# 看到下面的提示符代表成功, 以后运行 Jumpserver 都要先运行以上 source 命令, 载入环境后默认以下所有命令均在该虚拟环境中运行
(py3) [root@localhost py3]

# 下载 Jumpserver
$ cd /data/jumpserver/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git

# 安装依赖 RPM 包
$ yum -y install $(cat /data/jumpserver/jumpserver/requirements/rpm_requirements.txt)

# 安装 Python 库依赖
$ pip install wheel
$ pip install --upgrade pip setuptools
#如果有报错,大多是三方依赖库版本问题,手动安装即可
$ pip install -r /data/jumpserver/jumpserver/requirements/requirements.txt

#注意有error的话,手动修正下版本号,再安装


# jumpserver配置文件修改
$ cd /opt/jumpserver
$ cp config_example.yml config.yml

$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`  # 生成随机SECRET_KEY
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`  # 生成随机BOOTSTRAP_TOKEN
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /data/jumpserver/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /data/jumpserver/jumpserver/config.yml/

$ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
$ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"

#配置存储为sqlite3,注释mysql配置
DB_ENGINE: sqlite3
DB_NAME: /data/jumpserver/jumpserver/jumpserver.db

#HTTP_BIND_HOST修改为127.0.0.1
HTTP_BIND_HOST: 127.0.0.1

$ vi config.yml  # 确认内容有没有错误

koko 和 Guacamole 配置

  • 直接采用docker部署

    #拉取镜像
    docker pull docker.io/jumpserver/jms_koko:1.5.6
    docker pull docker.io/jumpserver/jms_guacamole:1.5.6
    
  • docker-compose file

    vim /data/jumpserver/docker-jumpserver-compose.yml
    #写入如下内容
    

    docker-jumpserver-compose.yml 内容如下:

    version: "3"
    services:
      guacamole:
        image: 'docker.io/jumpserver/jms_guacamole:1.5.6'
        restart: on-failure:3
        environment:
            JUMPSERVER_SERVER: 'http://172.100.0.1:8080'
            BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
        ports:
          - '127.0.0.1:8081:8080'
        networks:
          jumpserver:
            ipv4_address: 172.100.0.2
        #volumes:
        #  - '/etc/localtime:/etc/localtime:ro'
        #  - '/etc/timezone:/etc/timezone'
      koko:
        image: 'docker.io/jumpserver/jms_koko:1.5.6'
        restart: on-failure:3
        environment:
            CORE_HOST: 'http://172.100.0.1:8080'
            BOOTSTRAP_TOKEN: '上面生成的BOOTSTRAP_TOKEN'
        ports:
          - '127.0.0.1:5100:5000'
          - '2222:2222'
        networks:
          jumpserver:
            ipv4_address: 172.100.0.3
    networks:
      jumpserver:
        driver: bridge
        ipam:
          driver: default
          config:
          -
            subnet: 172.100.0.1/24
    ##项目启动命令##
    # docker-compose -f docker-jumpserver-compose.yml  -p jumpserver up  -d
      
    ##项目停止命令##
    # docker-compose -f docker-jumpserver-compose.yml  -p jumpserver down
    
    # 启动容器
    cd /data/jumpserver/
    docker-compose -f docker-jumpserver-compose.yml  -p jumpserver up  -d
    

nginx配置

vim /usr/local/nginx/conf/vhost/jms.test.com.conf

#nginx配置内容
...
server
{
	listen 80;
	server_name  jms.test.com;
	return       301 https://jms.test.com$request_uri;
	access_log off;
}

server
{
        listen 443;
        server_name jms.test.com;
        ssl on;
        ssl_certificate /usr/local/nginx/conf/cert/214235695130621.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert/214235695130621.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
		
	set $node_port 8100;

	client_max_body_size 100m;  # 录像及文件上传大小限制	
	
	location /luna/ {
        	try_files $uri / /index.html;
	        alias /data/jumpserver/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    	}

    	location /media/ {
       		add_header Content-Encoding gzip;
	        root /data/jumpserver/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    	}

	location /static/ {
        	root /data/jumpserver/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
	}

    	location /koko/ {
        	proxy_pass       http://127.0.0.1:5000;
        	proxy_buffering off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	access_log off;
    	}

    	location /guacamole/ {
        	proxy_pass       http://127.0.0.1:8081/;
        	proxy_buffering off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection $http_connection;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	access_log off;
    	}

    	location /ws/ {
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_pass http://172.100.0.1:8070;
        	proxy_http_version 1.1;
        	proxy_buffering off;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
        }

    	location / {
        	proxy_pass http://172.100.0.1:8080;
	        proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header Host $host;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	}

	access_log logs/jms_access.log;
        error_log  logs/jms_error.log;
}
...