堡壘機Jumpserver搭建

主要參考官方文檔https://jumpserver.readthedocs.io/zh/master/step_by_step.html

*

*一. 生産環境部署

**

Jumpserver 是一款使用 Python, Django 開發的開源跳闆機系統, 為虧聯網企業提供了認證，授權，審計，自動化運維等功能，可以實作實時收集、監控網絡環境、集中報警。

Jumpserver 環境要求：

硬體配置: 2個CPU核心, 4G 記憶體, 50G 硬碟（最低）
		作業系統: Linux 發行版 x86_64
		Python = 3.6.x
		Mysql Server ≥ 5.6
		Mariadb Server ≥ 5.5.56
		Redis
		docker
           

1. 安裝mysql

   ]# tar -xf /root/mysql-5.7.17.tar

   ]# yum -y install mysql-community-*

   ]#systemclt start mysqld

   ]# systemctl enable mysqld

2. 安裝redis

   ]# yum -y install gcc

   ]# tar -zxf redis-4.0.8.tar.gz

   ]# cd redis-4.0.8/

   ]# make && make install

   ]# cd utils/

   utils]# ./install_server.sh

   ]# ss -antupl | grep :6379 檢視服務端口是否開啟

3. 安裝nginx

   ]# yum -y install gcc pcre-devel openssl-devel 有的依賴前面已經裝過不用重裝

   ]# tar -xf nginx-1.12.2.tar.gz

   ]# cd nginx-1.12.2/

   ]# ./configure

   ]# make && make install

   ]# /usr/local/nginx/sbin/nginx

4. 安裝docker

   [^先配置docker安裝倉庫]

   ]# yum -y install docker

   ]# systemctl start docker

   ]#systemctl enable docker

5.　安裝python3

]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git 安裝依賴包

]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz

]# tar -xf Python-3.6.1.tar.xz

]# cd Python-3.6.1/

Python-3.6.1]# ./configure && make && make install

］＃　python3.6 -m venv /opt/mypython　建立python3虛拟環境（Centos7自帶python2,需要在python3虛拟環境中運作）

］＃　source /opt/mypython/bin/activate　[^載入虛拟環境]

*

*二． 安裝Jumpserver

**

• 建立資料庫 Jumpserver 并授權

]#mysql -uroot -p

.> create database jumpserver default charset 'utf8;

.>grant all on jumpserver.* to ‘jumpserver’@‘127.0.0.1’ identified by ‘123qqq…A’

.>flush privileges

• 擷取jumpserver代碼

］＃cd /opt

］＃git clone --depth=1 https://github.com/jumpserver/jumpserver.git

• 安裝依賴

(mypython) [[email protected] bin]# cd /opt/jumpserver/requirements

(mypython) [[email protected] requirements]# yum install -y $(cat rpm_requirements.txt)

(mypython) [[email protected] requirements]# pip install -r requirements.txt

Collecting amqp==2.1.4 (from -r requirements.txt (line 1))
  Using cached https://files.pythonhosted.org/packages/7e/4b/ac7afb11b57f237e3c1c64b5408c5d229bf5d4b42af6cb6e683c7690ca4f/amqp-2.1.4-py2.py3-none-any.whl
Collecting ansible==2.8.0 (from -r requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/17/c9/d379b76ecaa42f4ee08b01c365e9ed1be0b302ff8a26eef120d481b144fa/ansible-2.8.0.tar.gz (14.3MB)
     |████████████████████████████████| 14.3MB 22kB/s 
Requirement already satisfied: asn1crypto==0.24.0 in /root/mypython/lib/python3.6/site-packages (from -r requirements.txt (line 3)) (0.24.0)
......
Running setup.py install for ipip-ipdb ... done
  Running setup.py install for django-redis-sessions ... done
  Running setup.py install for unicodecsv ... done
Successfully installed Django-2.1.7 ForgeryPy-0.1 Jinja2-2.10.1 MarkupSafe-1.0 Pillow-4.3.0 PyNaCl-1.2.1 PyYAML-5.1 We
......
           

(mypython) [[email protected] requirements]# cd /opt/jumpserver/

(mypython) [[email protected] requirements]# ls

apps                data        entrypoint.sh  logs          requirements   utils
build.sh            Dockerfile  jms            README_EN.md  run_server.py  Vagrantfile
config_example.yml  docs        LICENSE        README.md     tmp
           

(mypython) [[email protected] jumpserver]# cp config_example.yml config.yml

]# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49 # 安全起見，生成随機密碼給下面配置檔案使用，可以生成兩個

Ow0FuFPTs0SU948jdsfbybc7fY5MxPlGwV7572V8d0PTDeKfe　和　ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0

(mypython) [[email protected] jumpserver]# vim config.yml

# SECURITY WARNING: keep the secret key used in production secret!
# 加密秘鑰 生産環境中請修改為随機字元串，請勿外洩, 可使用指令生成 
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: Ow0FuFPTs0SU948jdsfbybc7fY5MxPlGwV7572V8d0PTDeKfe

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 預共享Token coco和guacamole用來注冊服務賬号，不在使用原來的注冊接受機制
BOOTSTRAP_TOKEN: ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 開啟DEBUG後遇到錯誤時可以看到更多日志
# DEBUG: true

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志級别
# LOG_LEVEL: DEBUG
# LOG_DIR: 

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏覽器Session過期時間，預設24小時, 也可以設定浏覽器關閉則過期
# SESSION_COOKIE_AGE: 86400
# SESSION_EXPIRE_AT_BROWSER_CLOSE: false

# Database setting, Support sqlite3, mysql, postgres ....
# 資料庫設定
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用單檔案sqlite資料庫
# DB_ENGINE: sqlite3
# DB_NAME: 

# MySQL or postgres setting like:
# 使用Mysql作為資料庫
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: '123qqq...A'
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 運作時綁定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD: 
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4
......
           

• 啟動 jumpserver

(mypython) [[email protected] jumpserver]# ./jms start 可以加 -d 參數在背景運作 ./jms start -d

Mon Sep 23 14:12:31 2019
Jumpserver version 1.5.2, more see https://www.jumpserver.org

- Start Gunicorn WSGI HTTP Server
Check database connection ...
2019-09-23 14:12:33 [signals_handler DEBUG] Monkey patch settings
users
 [ ] 0001_initial
 [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
 [ ] 0020_auto_20190612_1825
 [ ] 0021_auto_20190625_1104
 [ ] 0022_auto_20190625_1105
.....
Applying terminal.0013_auto_20181123_1113... OK
  Applying terminal.0014_auto_20181226_1441... OK
  Applying users.0020_auto_20190612_1825... OK
  Applying users.0021_auto_20190625_1104... OK
  ......
  [2019-09-23 14:15:37 +0800] [18720] [INFO] Booting worker with pid: 18720
celery beat v4.1.0 (latentcall) is starting.
           

*三．用浏覽器即可通路jumpserver

**

127.0.0.1:8080 admin 登入　密碼：admin

**

四，使用web終端還需要安裝如下元件

**

koko 元件， guacamole 元件，luna 元件，nginx 整合各元件

使用docker安裝更簡單

• 部署 koko 元件

  ］＃docker run --name jms_koko -d -p 2222:2222 -p 127.0.0.1:5000:5000 -e CORE_HOST=http://127.0.0.1：8080 -e BOOTSTRAP_TOKEN=ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0　--restart=always jumpserver/jms_koko:1.5.2
             

• 部署 guacamole 元件

  ］＃docker run --name jms_guacamole -d -p 127.0.0.1:8081:8081 -e JUMPSERVER_SERVER=http://127.0.0.1:8080 -e BOOTSTRAP_TOKEN=ftWB0FNJCJVPMPyAsmPli4HONhsXMqA2zu0AVbfzAbdSw1tn0 jumpserver/jms_guacamole:1.5.2
             

• 下載下傳 luna 元件

  ]#  wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
   ]# tar xf luna.tar.gz
   ]# chown -R root:root luna
             

• 配置 nginx 整合各元件

  ]# vim /usr/local/nginx/conf/nginx.conf

  ......
  server {
  listen 80;
  client_max_body_size 100m;  # 錄像及檔案上傳大小限制
  
  location /luna/ {
      try_files $uri / /index.html;
      alias /opt/luna/;  # luna 路徑, 如果修改安裝目錄, 此處需要修改
  }
  
  location /media/ {
      add_header Content-Encoding gzip;
      root /opt/jumpserver/data/;  # 錄像位置, 如果修改安裝目錄, 此處需要修改
  }
  
  location /static/ {
      root /opt/jumpserver/data/;  # 靜态資源, 如果修改安裝目錄, 此處需要修改
  }
  
  location /socket.io/ {
      proxy_pass       http://localhost:5000/socket.io/;
      proxy_buffering off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      access_log off;
  }
  
  location /coco/ {
      proxy_pass       http://localhost:5000/coco/;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      access_log off;
  }
  
  location /guacamole/ {
      proxy_pass       http://localhost:8081/;
      proxy_buffering off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      access_log off;
  }
  
  location / {
      proxy_pass http://localhost:8080;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  
             

]# /usr/local/nginx/sbin/nginx -t # 檢查文法

]# /usr/local/nginx/sbin/nginx -s reload

*

*五．登入 Jumpserver

**（服務全部啟動後, 通路 jumpserver 伺服器 nginx 代理的 80 端口, 不要通過8080端口）

http://127.0.0.1:80

admin登入　密碼admin