運維平臺之--nginx反向代理jumpserver服務器獲取客戶端真實ip

部暑環境：

nginx: 外網 203.95.193.119 內網 172.10.11.108

jumpserver: 外網203.95.193.121 內網 172.10.11.104

實驗目的：

1、jumpserver禁止使用ip來訪問web頁面，通過域名來訪問

2、nginx反向代理jumpserver，jumpserver獲取客戶端真實的訪問ip

1、jumpserver安裝部暑(203.95.193.121)

http://docs.jumpserver.org/zh/master/setup_by_centos.html ＃jumpserver官方安裝文檔

1.1、環境準備

# firewall-cmd --zone=public --add-port=8080/tcp --permanent # nginx 訪問端口

# firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶ssh登錄端口 coco

# firewall-cmd --reload #重新載入規則

#關閉selinux

# setenforce 0

# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

修改字符集, 否則可能報 input/output error的問題, 因為日誌裡打印了中文

# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8

# export LC_ALL=zh_CN.UTF-8

# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

1.2、準備 Python3 和 Python 虛擬環境

1.2.1、安裝依賴包

yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

1.2.2、編譯安裝python

cd /opt

wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1

./configure && make && make install

1.2.3、建立 Python 虛擬環境

cd /opt

python3.6 -m venv py3

source /opt/py3/bin/activate ＃進入虛擬環境

deactivate #退出虛擬環境

rmvirtualenv venv #刪除虛擬環境

1.2.4、自動載入 Python 虛擬環境配置

cd /opt

yum update -y nss curl libcurl

git clone https://github.com/kennethreitz/autoenv.git

echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc

source ~/.bashrc

1.3、安裝 Jumpserver

1.3.1、下載或 Clone 項目

cd /opt/

git clone https://github.com/jumpserver/jumpserver.git

1.3.2、安裝依賴 RPM 包

cd /opt/jumpserver/requirements

yum -y install $(cat rpm_requirements.txt) # 如果沒有任何報錯請繼續

1.3.3、安裝 Python 庫依賴

pip install --upgrade pip setuptools

pip install -r requirements.txt # 如果沒有任何報錯請繼續

# 如果下載速度很慢, 可以換國內源

pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/

pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

1.3.4、安裝 redis, jumpserver 使用 redis做cache和 celery broke

yum -y install redis

systemctl enable redis

systemctl start redis

# centos6

$ yum -y install redis

$ chkconfig redis on

$ service redis start

1.3.5、安裝 MySQL

yum -y install yum-utils

配置yum源：

cat /etc/yum.repos.d/mysql.repo

# Enable to use MySQL 5.7

[mysql57-community]

name=MySQL 5.7 Community Server

baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/

enabled=1

gpgcheck=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql

查看可安裝的mysql版本:

yum repolist all|grep mysql

yum install mysql-community-server -y

systemctl start mysqld

systemctl status mysqld

1.3.6 創建數據庫 Jumpserver 並授權

grep 'temporary password' /var/log/mysqld.log #查看初始密碼

$ mysql -uroot -p

> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Jumpserver123!';

> create database jumpserver default charset 'utf8';

> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'WeakPW12!';

> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'WeakPW12!';

> flush privileges;

1.3.7、修改 Jumpserver 配置文件

$ cd /opt/jumpserver

$ source /opt/py3/bin/activate #切換到python虛擬環境

$ cp config_example.yml config.yml

$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成隨機SECRET_KEY

$ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc

$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成隨機BOOTSTRAP_TOKEN

$ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml

$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml

$ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml

$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml

$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml

$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml #這個不用配置，單獨配置mysql密碼

$ echo -e "\\033[31m 你的SECRET_KEY是 $SECRET_KEY \\033[0m"

$ echo -e "\\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \\033[0m"

$ vi config.yml # 確認內容有沒有錯誤

# SECURITY WARNING: keep the secret key used in production secret!

# 加密秘鑰 生產環境中請修改為隨機字符串, 請勿外洩

SECRET_KEY:

# SECURITY WARNING: keep the bootstrap token used in production secret!

# 預共享Token coco和guacamole用來註冊服務賬號, 不在使用原來的註冊接受機制

BOOTSTRAP_TOKEN:

# Development env open this, when error occur display the full process track, Production disable it

# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日誌

DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/

# 日誌級別

LOG_LEVEL: ERROR

# LOG_DIR:

# Session expiration setting, Default 24 hour, Also set expired on on browser close

# 瀏覽器Session過期時間, 默認24小時, 也可以設置瀏覽器關閉則過期

# SESSION_COOKIE_AGE: 86400

SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....

# 數據庫設置

# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:

# 使用單文件sqlite數據庫

# DB_ENGINE: sqlite3

# DB_NAME:

# MySQL or postgres setting like:

# 使用Mysql作為數據庫

DB_ENGINE: mysql

DB_HOST: 127.0.0.1

DB_PORT: 3306

DB_USER: jumpserver

DB_PASSWORD: WeakPW12! #配置mysql密碼

DB_NAME: jumpserver

# When Django start it will bind this host and port

# ./manage.py runserver 127.0.0.1:8080

# 運行時綁定端口

HTTP_BIND_HOST: 0.0.0.0

HTTP_LISTEN_PORT: 8082 #jumpserver偵聽端口

# Use Redis as broker for celery and web socket

# Redis配置

REDIS_HOST: 127.0.0.1

REDIS_PORT: 6379

# REDIS_PASSWORD:

# REDIS_DB_CELERY: 3

# REDIS_DB_CACHE: 4

# Use OpenID authorization

# 使用OpenID 來進行認證設置

# BASE_SITE_URL: http://localhost:8080

# AUTH_OPENID: false # True or False

# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

# AUTH_OPENID_REALM_NAME: realm-name

# AUTH_OPENID_CLIENT_ID: client-id

# AUTH_OPENID_CLIENT_SECRET: client-secret

# OTP settings

# OTP/MFA 配置

# OTP_VALID_WINDOW: 0

# OTP_ISSUER_NAME: Jumpserver

1.3.8、運行 Jumpserver

$ cd /opt/jumpserver

$ ./jms start all -d # 後臺運行使用 -d 參數./jms start all -d

# 新版本更新了運行腳本, 使用方式./jms start|stop|status all 後臺運行請添加 -d 參數

1.4、安裝 SSH Server 和 WebSocket Server: Coco

1.4.1、下載或 Clone 項目

$ cd /opt

$ source /opt/py3/bin/activate

$ git clone https://github.com/jumpserver/coco.git

1.4.2、安裝依賴包

$ cd /opt/coco/requirements

$ yum -y install $(cat rpm_requirements.txt)

$ pip install -r requirements.txt

# 如果下載速度很慢, 可以換國內源

$ pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

1.4.3、修改配置文件並運行

$ cd /opt/coco

$ cp config_example.yml config.yml

$ sed -i "s/BOOTSTRAP_TOKEN: <pleasgechangesamewithjumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml/<pleasgechangesamewithjumpserver>

$ sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml

$ vi config.yml

# 項目名稱, 會用來向Jumpserver註冊, 識別而已, 不能重複

# NAME: {{ Hostname }}

# Jumpserver項目的url, api請求註冊會使用

CORE_HOST: http://127.0.0.1:8082 #jumpserver端口

# Bootstrap Token, 預共享秘鑰, 用來註冊coco使用的service account和terminal

# 請和jumpserver 配置文件中保持一致, 註冊完成後可以刪除

BOOTSTRAP_TOKEN: <pleasgechangesamewithjumpserver>

# 啟動時綁定的ip, 默認 0.0.0.0

# BIND_HOST: 0.0.0.0

# 監聽的SSH端口號, 默認2222

# SSHD_PORT: 2222

# 監聽的HTTP/WS端口號, 默認5000

# HTTPD_PORT: 5000

# 項目使用的ACCESS KEY, 默認會註冊, 並保存到 ACCESS_KEY_STORE中,

# 如果有需求, 可以寫到配置文件中, 格式 access_key_id:access_key_secret

# ACCESS_KEY: null

# ACCESS KEY 保存的地址, 默認註冊後會保存到該文件中

# ACCESS_KEY_STORE: data/keys/.access_key

# 加密密鑰

# SECRET_KEY: null

# 設置日誌級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]

LOG_LEVEL: ERROR

# 日誌存放的目錄

# LOG_DIR: logs

# SSH白名單

# ALLOW_SSH_USER: all

# SSH黑名單, 如果用戶同時在白名單和黑名單, 黑名單優先生效

# BLOCK_SSH_USER:

# -

# 和Jumpserver 保持心跳時間間隔

# HEARTBEAT_INTERVAL: 5

# Admin的名字, 出問題會提示給用戶

# ADMINS: ''

# SSH連接超時時間 (default 15 seconds)

# SSH_TIMEOUT: 15

# 語言 [en, zh]

# LANGUAGE_CODE: zh

# SFTP的根目錄, 可選 /tmp, Home其他自定義目錄

# SFTP_ROOT: /tmp

# SFTP是否顯示隱藏文件

# SFTP_SHOW_HIDDEN_FILE: false

$ ./cocod start -d # 後臺運行使用 -d 參數./cocod start -d

# 新版本更新了運行腳本, 使用方式./cocod start|stop|status 後臺運行請添加 -d 參數

1.5、安裝 Web Terminal 前端: Luna

Luna 已改為純前端, 需要 nginx 來運行訪問

訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓不需要編譯

1.4.1、解壓 Luna

$ cd /opt

$ wget https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz

# 如果網絡有問題導致下載無法完成可以使用下面地址

$ wget https://demo.jumpserver.org/download/luna/1.4.9/luna.tar.gz

$ tar xf luna.tar.gz

$ chown -R root:root luna

1.6、安裝 Windows 支持組件(如果不需要管理 windows 資產, 可以直接跳過這一步)

1.6.1、安裝依賴

$ mkdir /usr/local/lib/freerdp/

$ ln -s /usr/local/lib/freerdp /usr/lib64/freerdp

$ rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

$ rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

$ yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

$ yum install -y java-1.8.0-openjdk libtool

$ yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel

$ yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript

1.6.2、編譯安裝 guacamole 服務

$ cd /opt

$ git clone https://github.com/jumpserver/docker-guacamole.git

$ cd /opt/docker-guacamole/

$ tar -xf guacamole-server-1.0.0.tar.gz

$ cd guacamole-server-1.0.0

$ autoreconf -fi

$ ./configure --with-init-dir=/etc/init.d

$ make && make install

$ cd ..

$ rm -rf guacamole-server-1.0.0

$ ldconfig

1.6.3、配置 tomcat服務

$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # 創建 guacamole 目錄

$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar

$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties # guacamole 配置文件

$ cd /config

$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz

$ tar -xzf apache-tomcat-8.5.41.tar.gz

$ rm -rf apache-tomcat-8.5.41.tar.gz

$ mv apache-tomcat-8.5.41 tomcat8

$ rm -rf /config/tomcat8/webapps/*

$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat8/webapps/ROOT.war # guacamole client

$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml # 修改默認端口為 8081

$ sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties # 修改 log 等級為 WARNING

$ cd /config

$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz

# 如果網絡有問題導致下載無法完成可以使用下面地址

$ wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz

$ tar xf linux-amd64.tar.gz -C /bin/

$ chmod +x /bin/ssh-forward

1.6.4、配置環境變量

$ export JUMPSERVER_SERVER=http://127.0.0.1:8082 # http://127.0.0.1:8082指jumpserver 訪問地址

$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8082" >> ~/.bashrc

# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 裡面的 BOOTSTRAP_TOKEN

$ export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN

$ echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc

$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys

$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc

$ export GUACAMOLE_HOME=/config/guacamole

$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

1.6.5、啟動 Guacamole

$ /etc/init.d/guacd start

$ sh /config/tomcat8/bin/startup.sh

1.7、配置 nginx 整合各組件

1.7.1、安裝 nginx

$ yum install -y yum-utils

$ vi /etc/yum.repos.d/nginx.repo

[nginx-stable]

name=nginx stable repo

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=1

enabled=1

gpgkey=https://nginx.org/keys/nginx_signing.key

$ yum install -y nginx

$ rm -rf /etc/nginx/conf.d/default.conf

$ systemctl enable nginx

1.7.2、準備配置文件 修改 /etc/nginx/conf.d/jumpserver.conf

$ vi /etc/nginx/conf.d/jumpserver.conf

server { #禁止使用ip來訪問jumpserver

listen 8080;

server_name _;

location / {

return 444;

}

}

server {

listen 8080; # 代理端口, 以後將通過此端口進行訪問, 不再通過8080端口

server_name www.jumpserver.one; #修改成你的域名

client_max_body_size 100m; # 錄像及文件上傳大小限制

location /luna/ {

try_files $uri / /index.html;

alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改

}

location /media/ {

add_header Content-Encoding gzip;

root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改

}

location /static/ {

root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改

}

location /socket.io/ {

proxy_pass http://localhost:5000/socket.io/; # 如果coco安裝在別的服務器, 請填寫它的ip

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /coco/ {

proxy_pass http://localhost:5000/coco/; # 如果coco安裝在別的服務器, 請填寫它的ip

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location /guacamole/ {

proxy_pass http://localhost:8081/; # 如果guacamole安裝在別的服務器, 請填寫它的ip

proxy_buffering off;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection $http_connection;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log off;

}

location / {

proxy_pass http://localhost:8082; # 如果jumpserver安裝在別的服務器, 請填寫它的ip

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

1.7.3、運行 nginx

nginx -t # 確保配置沒有問題, 有問題請先解決

# CentOS 7

$ systemctl start nginx

$ systemctl enable nginx

1.7.4、開始使用 Jumpserver

檢查應用是否已經正常運行

服務全部啟動後, 訪問 http://203.95.193.121:8080, 訪問nginx代理的端口, 不要再通過8082端口訪問

默認賬號: admin 密碼: admin

到Jumpserver 會話管理-終端管理 檢查 Coco Guacamole 等應用的註冊。

1.7.5、配置開機啟動

$ cat /etc/rc.local

cd /opt/jumpserver && source /opt/py3/bin/activate && ./jms start all -d

cd /opt/coco && source /opt/py3/bin/activate && ./cocod start -d

/etc/init.d/guacd start

sh /config/tomcat8/bin/startup.sh

$ chmod +x /etc/rc.local

2、nginx安裝部暑(203.95.193.119)

2.1、安裝nginx

$ yum install -y yum-utils

$ vi /etc/yum.repos.d/nginx.repo #配置yum源

[nginx-stable]

name=nginx stable repo

baseurl=http://nginx.org/packages/centos/$releasever/$basearch/

gpgcheck=1

enabled=1

gpgkey=https://nginx.org/keys/nginx_signing.key

$ yum install -y nginx

$ rm -rf /etc/nginx/conf.d/default.conf

$ systemctl enable nginx

2.2、配置nginx轉發到jumpserver

$ cat /etc/nginx/nginx.conf

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log warn;

pid /var/run/nginx.pid;

events {

worker_connections 1024;

}

http {

include /etc/nginx/mime.types;

default_type application/octet-stream;

sendfile on;

server_tokens off;

tcp_nopush on;

tcp_nodelay on;

# nginx日誌格式

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

#sendfile on;

#tcp_nopush on;

keepalive_timeout 1d;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header x-client-ip $remote_addr;

#gzip on;

include /etc/nginx/conf.d/*.conf;

}

$ cd /etc/nginx/conf.d

$ cat jumpserver.conf

upstream test {

server 172.10.11.104:8080; #負載均衡到jumpserver服務器

}

server {

listen 25678; #偵聽端口

client_max_body_size 100m; #客戶最大上傳100M

location / {

proxy_pass http://test; # nginx轉發到jumpserver服務器

# 把原http請求的Header中的Host字段也放到轉發的請求裡

proxy_set_header Host $host;

# 把真實客戶端IP寫入到請求頭X-Real-IP

proxy_set_header X-Real-IP $remote_addr;

# 讓nginx的http代理增加X-Forwarded-For頭信息，保存客戶的真實ip

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# HTTP 請求頭中的 X-Forwarded-For

proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;

#對發送給客戶端的URL進行修改

proxy_redirect default;

}

}

2.3、配置域名解釋hosts

$ vi /etc/hosts

172.10.11.104 www.jumpserver.one #172.10.11.104是jumpserver內網ip,用於解釋jumpserver服務器

2.4、啟動nginx服務器

$ mkdir -p /var/log/nginx

$ chown nginx. /var/log/nginx

$ nginx -t

$ systemctl start nginx

$ systemctl status nginx

$ systemctl enable nginx

2.4、配置防火牆

$ firewall-cmd --zone=public --add-port=25678/tcp --permanent

$ firewall-cmd --reload

3、查看jumpserver登陸日誌

3.1、綁定hosts訪問

$ cat /etc/hosts

203.95.193.119 www.jumpserver.one #你的電腦配置

3.2、登陸jumpserver查看登陸日誌

tail -f /var/log/nginx/access.log #在jumpserver查看用戶訪問jumpserver服務器ip

3.3、使用ip訪問效果

閱讀更多 愛踢人生 的文章

關鍵字: 客戶端 Redis Nginx