部暑環境:
nginx: 外網 203.95.193.119 內網 172.10.11.108
jumpserver: 外網203.95.193.121 內網 172.10.11.104
實驗目的:
1、jumpserver禁止使用ip來訪問web頁面,通過域名來訪問
2、nginx反向代理jumpserver,jumpserver獲取客戶端真實的訪問ip
1、jumpserver安裝部暑(203.95.193.121)
http://docs.jumpserver.org/zh/master/setup_by_centos.html #jumpserver官方安裝文檔
1.1、環境準備
# firewall-cmd --zone=public --add-port=8080/tcp --permanent # nginx 訪問端口
# firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用戶ssh登錄端口 coco
# firewall-cmd --reload #重新載入規則
#關閉selinux
# setenforce 0
# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
修改字符集, 否則可能報 input/output error的問題, 因為日誌裡打印了中文
# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
# export LC_ALL=zh_CN.UTF-8
# echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
1.2、準備 Python3 和 Python 虛擬環境
1.2.1、安裝依賴包
yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
1.2.2、編譯安裝python
cd /opt
wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
tar xvf Python-3.6.1.tar.xz && cd Python-3.6.1
./configure && make && make install
1.2.3、建立 Python 虛擬環境
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate #進入虛擬環境
deactivate #退出虛擬環境
rmvirtualenv venv #刪除虛擬環境
1.2.4、自動載入 Python 虛擬環境配置
cd /opt
yum update -y nss curl libcurl
git clone https://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
1.3、安裝 Jumpserver
1.3.1、下載或 Clone 項目
cd /opt/
git clone https://github.com/jumpserver/jumpserver.git
1.3.2、安裝依賴 RPM 包
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt) # 如果沒有任何報錯請繼續
1.3.3、安裝 Python 庫依賴
pip install --upgrade pip setuptools
pip install -r requirements.txt # 如果沒有任何報錯請繼續
# 如果下載速度很慢, 可以換國內源
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
1.3.4、安裝 redis, jumpserver 使用 redis做cache和 celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
# centos6
$ yum -y install redis
$ chkconfig redis on
$ service redis start
1.3.5、安裝 MySQL
yum -y install yum-utils
配置yum源:
cat /etc/yum.repos.d/mysql.repo
# Enable to use MySQL 5.7
[mysql57-community]
name=MySQL 5.7 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
查看可安裝的mysql版本:
yum repolist all|grep mysql
yum install mysql-community-server -y
systemctl start mysqld
systemctl status mysqld
1.3.6 創建數據庫 Jumpserver 並授權
grep 'temporary password' /var/log/mysqld.log #查看初始密碼
$ mysql -uroot -p
> ALTER USER 'root'@'localhost' IDENTIFIED BY 'Jumpserver123!';
> create database jumpserver default charset 'utf8';
> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'WeakPW12!';
> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by 'WeakPW12!';
> flush privileges;
1.3.7、修改 Jumpserver 配置文件
$ cd /opt/jumpserver
$ source /opt/py3/bin/activate #切換到python虛擬環境
$ cp config_example.yml config.yml
$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成隨機SECRET_KEY
$ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
$ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成隨機BOOTSTRAP_TOKEN
$ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
$ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
$ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
$ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
$ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
$ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
$ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml #這個不用配置,單獨配置mysql密碼
$ echo -e "\\033[31m 你的SECRET_KEY是 $SECRET_KEY \\033[0m"
$ echo -e "\\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \\033[0m"
$ vi config.yml # 確認內容有沒有錯誤
# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘鑰 生產環境中請修改為隨機字符串, 請勿外洩
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來註冊服務賬號, 不在使用原來的註冊接受機制
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日誌
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日誌級別
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 瀏覽器Session過期時間, 默認24小時, 也可以設置瀏覽器關閉則過期
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# 數據庫設置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# 使用單文件sqlite數據庫
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# 使用Mysql作為數據庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: WeakPW12! #配置mysql密碼
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運行時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8082 #jumpserver偵聽端口
# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
# Use OpenID authorization
# 使用OpenID 來進行認證設置
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
1.3.8、運行 Jumpserver
$ cd /opt/jumpserver
$ ./jms start all -d # 後臺運行使用 -d 參數./jms start all -d
# 新版本更新了運行腳本, 使用方式./jms start|stop|status all 後臺運行請添加 -d 參數
1.4、安裝 SSH Server 和 WebSocket Server: Coco
1.4.1、下載或 Clone 項目
$ cd /opt
$ source /opt/py3/bin/activate
$ git clone https://github.com/jumpserver/coco.git
1.4.2、安裝依賴包
$ cd /opt/coco/requirements
$ yum -y install $(cat rpm_requirements.txt)
$ pip install -r requirements.txt
# 如果下載速度很慢, 可以換國內源
$ pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
1.4.3、修改配置文件並運行
$ cd /opt/coco
$ cp config_example.yml config.yml
$ sed -i "s/BOOTSTRAP_TOKEN: <pleasgechangesamewithjumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml/<pleasgechangesamewithjumpserver>
$ sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
$ vi config.yml
# 項目名稱, 會用來向Jumpserver註冊, 識別而已, 不能重複
# NAME: {{ Hostname }}
# Jumpserver項目的url, api請求註冊會使用
CORE_HOST: http://127.0.0.1:8082 #jumpserver端口
# Bootstrap Token, 預共享秘鑰, 用來註冊coco使用的service account和terminal
# 請和jumpserver 配置文件中保持一致, 註冊完成後可以刪除
BOOTSTRAP_TOKEN: <pleasgechangesamewithjumpserver>
# 啟動時綁定的ip, 默認 0.0.0.0
# BIND_HOST: 0.0.0.0
# 監聽的SSH端口號, 默認2222
# SSHD_PORT: 2222
# 監聽的HTTP/WS端口號, 默認5000
# HTTPD_PORT: 5000
# 項目使用的ACCESS KEY, 默認會註冊, 並保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以寫到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null
# ACCESS KEY 保存的地址, 默認註冊後會保存到該文件中
# ACCESS_KEY_STORE: data/keys/.access_key
# 加密密鑰
# SECRET_KEY: null
# 設置日誌級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: ERROR
# 日誌存放的目錄
# LOG_DIR: logs
# SSH白名單
# ALLOW_SSH_USER: all
# SSH黑名單, 如果用戶同時在白名單和黑名單, 黑名單優先生效
# BLOCK_SSH_USER:
# -
# 和Jumpserver 保持心跳時間間隔
# HEARTBEAT_INTERVAL: 5
# Admin的名字, 出問題會提示給用戶
# ADMINS: ''
# SSH連接超時時間 (default 15 seconds)
# SSH_TIMEOUT: 15
# 語言 [en, zh]
# LANGUAGE_CODE: zh
# SFTP的根目錄, 可選 /tmp, Home其他自定義目錄
# SFTP_ROOT: /tmp
# SFTP是否顯示隱藏文件
# SFTP_SHOW_HIDDEN_FILE: false
$ ./cocod start -d # 後臺運行使用 -d 參數./cocod start -d
# 新版本更新了運行腳本, 使用方式./cocod start|stop|status 後臺運行請添加 -d 參數
1.5、安裝 Web Terminal 前端: Luna
Luna 已改為純前端, 需要 nginx 來運行訪問
訪問(https://github.com/jumpserver/luna/releases)下載對應版本的 release 包, 直接解壓不需要編譯
1.4.1、解壓 Luna
$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
$ wget https://demo.jumpserver.org/download/luna/1.4.9/luna.tar.gz
$ tar xf luna.tar.gz
$ chown -R root:root luna
1.6、安裝 Windows 支持組件(如果不需要管理 windows 資產, 可以直接跳過這一步)
1.6.1、安裝依賴
$ mkdir /usr/local/lib/freerdp/
$ ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
$ rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
$ rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
$ yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
$ yum install -y java-1.8.0-openjdk libtool
$ yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
$ yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript
1.6.2、編譯安裝 guacamole 服務
$ cd /opt
$ git clone https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole/
$ tar -xf guacamole-server-1.0.0.tar.gz
$ cd guacamole-server-1.0.0
$ autoreconf -fi
$ ./configure --with-init-dir=/etc/init.d
$ make && make install
$ cd ..
$ rm -rf guacamole-server-1.0.0
$ ldconfig
1.6.3、配置 tomcat服務
$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # 創建 guacamole 目錄
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties # guacamole 配置文件
$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.41/bin/apache-tomcat-8.5.41.tar.gz
$ tar -xzf apache-tomcat-8.5.41.tar.gz
$ rm -rf apache-tomcat-8.5.41.tar.gz
$ mv apache-tomcat-8.5.41 tomcat8
$ rm -rf /config/tomcat8/webapps/*
$ ln -sf /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat8/webapps/ROOT.war # guacamole client
$ sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml # 修改默認端口為 8081
$ sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties # 修改 log 等級為 WARNING
$ cd /config
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
# 如果網絡有問題導致下載無法完成可以使用下面地址
$ wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/
$ chmod +x /bin/ssh-forward
1.6.4、配置環境變量
$ export JUMPSERVER_SERVER=http://127.0.0.1:8082 # http://127.0.0.1:8082指jumpserver 訪問地址
$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8082" >> ~/.bashrc
# BOOTSTRAP_TOKEN 為 Jumpserver/config.yml 裡面的 BOOTSTRAP_TOKEN
$ export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
$ echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
1.6.5、啟動 Guacamole
$ /etc/init.d/guacd start
$ sh /config/tomcat8/bin/startup.sh
1.7、配置 nginx 整合各組件
1.7.1、安裝 nginx
$ yum install -y yum-utils
$ vi /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
$ yum install -y nginx
$ rm -rf /etc/nginx/conf.d/default.conf
$ systemctl enable nginx
1.7.2、準備配置文件 修改 /etc/nginx/conf.d/jumpserver.conf
$ vi /etc/nginx/conf.d/jumpserver.conf
server { #禁止使用ip來訪問jumpserver
listen 8080;
server_name _;
location / {
return 444;
}
}
server {
listen 8080; # 代理端口, 以後將通過此端口進行訪問, 不再通過8080端口
server_name www.jumpserver.one; #修改成你的域名
client_max_body_size 100m; # 錄像及文件上傳大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改
}
location /socket.io/ {
proxy_pass http://localhost:5000/socket.io/; # 如果coco安裝在別的服務器, 請填寫它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://localhost:5000/coco/; # 如果coco安裝在別的服務器, 請填寫它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/; # 如果guacamole安裝在別的服務器, 請填寫它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://localhost:8082; # 如果jumpserver安裝在別的服務器, 請填寫它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
1.7.3、運行 nginx
nginx -t # 確保配置沒有問題, 有問題請先解決
# CentOS 7
$ systemctl start nginx
$ systemctl enable nginx
1.7.4、開始使用 Jumpserver
檢查應用是否已經正常運行
服務全部啟動後, 訪問 http://203.95.193.121:8080, 訪問nginx代理的端口, 不要再通過8082端口訪問
默認賬號: admin 密碼: admin
到Jumpserver 會話管理-終端管理 檢查 Coco Guacamole 等應用的註冊。
1.7.5、配置開機啟動
$ cat /etc/rc.local
cd /opt/jumpserver && source /opt/py3/bin/activate && ./jms start all -d
cd /opt/coco && source /opt/py3/bin/activate && ./cocod start -d
/etc/init.d/guacd start
sh /config/tomcat8/bin/startup.sh
$ chmod +x /etc/rc.local
2、nginx安裝部暑(203.95.193.119)
2.1、安裝nginx
$ yum install -y yum-utils
$ vi /etc/yum.repos.d/nginx.repo #配置yum源
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
$ yum install -y nginx
$ rm -rf /etc/nginx/conf.d/default.conf
$ systemctl enable nginx
2.2、配置nginx轉發到jumpserver
$ cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
# nginx日誌格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
#sendfile on;
#tcp_nopush on;
keepalive_timeout 1d;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header x-client-ip $remote_addr;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
$ cd /etc/nginx/conf.d
$ cat jumpserver.conf
upstream test {
server 172.10.11.104:8080; #負載均衡到jumpserver服務器
}
server {
listen 25678; #偵聽端口
client_max_body_size 100m; #客戶最大上傳100M
location / {
proxy_pass http://test; # nginx轉發到jumpserver服務器
# 把原http請求的Header中的Host字段也放到轉發的請求裡
proxy_set_header Host $host;
# 把真實客戶端IP寫入到請求頭X-Real-IP
proxy_set_header X-Real-IP $remote_addr;
# 讓nginx的http代理增加X-Forwarded-For頭信息,保存客戶的真實ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# HTTP 請求頭中的 X-Forwarded-For
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
#對發送給客戶端的URL進行修改
proxy_redirect default;
}
}
2.3、配置域名解釋hosts
$ vi /etc/hosts
172.10.11.104 www.jumpserver.one #172.10.11.104是jumpserver內網ip,用於解釋jumpserver服務器
2.4、啟動nginx服務器
$ mkdir -p /var/log/nginx
$ chown nginx. /var/log/nginx
$ nginx -t
$ systemctl start nginx
$ systemctl status nginx
$ systemctl enable nginx
2.4、配置防火牆
$ firewall-cmd --zone=public --add-port=25678/tcp --permanent
$ firewall-cmd --reload
3、查看jumpserver登陸日誌
3.1、綁定hosts訪問
$ cat /etc/hosts
203.95.193.119 www.jumpserver.one #你的電腦配置
3.2、登陸jumpserver查看登陸日誌
tail -f /var/log/nginx/access.log #在jumpserver查看用戶訪問jumpserver服務器ip
3.3、使用ip訪問效果
閱讀更多 愛踢人生 的文章