JumpServer bastion host deployment and application two: installation and deployment

Others 2021-01-27 19:21:21 views: null

Article Directory

Architecture diagram

Insert picture description here

Component introduction

  • JumpServer => now refers to the Jumpserver management backend, which is the core component (Core), developed in the style of Django Class Based View, and supports Restful API.
  • koko => implements the components of SSH Server and Web Terminal Server, provides SSH and WebSocket interfaces, and is developed using Paramiko and Flask.
  • Luna => Now it is the front end of Web Terminal. It is planned that all front-end pages will be provided by this project. Jumpserver only provides API and is no longer responsible for rendering html in the background.
  • Guacamole => Apache springboard project, Jumpserver uses its components to implement RDP functions. Jumpserver does not modify its code but adds additional plug-ins to support Jumpserver calls.

Component deployment

1. Environmental requirements

Hardware configuration: 2 CPU cores, 4G memory, 50G hard disk (minimum)
Operating system: Linux distribution x86_64
Other configuration: Turn off SELinux and firewall (the production environment needs to be turned on carefully)

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service

2. System environment update

yum -y update

3. Environment dependent packages

yum -y install wget gcc epel-release git gcc krb5-devel libtiff-devel libjpeg-devel libzip-devel freetype-devel libwebp-devel tcl-devel tk-devel sshpass openldap-devel mariadb-devel libffi-devel openssh-clients telnet openldap-clients docker

4. Install Python, Mysql, Redis, Nginx components

yum -y install python3.6 python36-devel mariadb mariadb-server.x86_64 redis nginx

5. Redis settings

systemctl enable redis
systemctl start redis

6. Mysql settings

systemctl enable mariadb
systemctl start mariadb

DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m"
mysql -uroot -e "create database jumpserver default charset 'utf8' collate 'utf8_bin'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"

The default root password is empty. Here is how to modify the password:
mysqladmin -u root -p password ericzhong

7. Python virtual environment configuration

cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate

Insert picture description here

Every time you operate jumpserver, you need to load the py3 virtual environment first

8. JumpServer deployment

  • Download program and deployment
cd /opt && \
wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz
tar xf jumpserver.tar.gz
ln -s /opt/jumpserver-2.0.1 /opt/jumpserver
  • Install compilation environment dependencies
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
  • Configuration modification
cd /opt/jumpserver/
cp config_example.yml config.yml
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
  • starting program
cd /opt/jumpserver/
./jms start -d

Log output:

(py3) [root@jumpserver01 jumpserver]# ./jms start -d
2020-06-23 14:13:41 Tue Jun 23 14:13:41 2020
2020-06-23 14:13:41 Jumpserver version 2.0.0, more see https://www.jumpserver.org

- Start Gunicorn WSGI HTTP Server
2020-06-23 14:13:41 Check database connection ...
users
 [ ] 0001_initial
 [ ] 0002_auto_20171225_1157_squashed_0019_auto_20190304_1459 (18 squashed migrations)
 [ ] 0020_auto_20190612_1825
 [ ] 0021_auto_20190625_1104
 [ ] 0022_auto_20190625_1105
 [ ] 0023_auto_20190724_1525
 [ ] 0024_auto_20191118_1612
 [ ] 0025_auto_20200206_1216
 [ ] 0026_auto_20200508_2105
 [ ] 0027_auto_20200616_1503
2020-06-23 14:13:48 Database connect success
2020-06-23 14:13:48 Check database structure change ...
2020-06-23 14:13:48 Migrate model change to database ...
Operations to perform:
  Apply all migrations: admin, applications, assets, audits, auth, authentication, captcha, common, contenttypes, django_cas_ng, django_celery_beat, jms_oidc_rp, ops, orgs, perms, sessions, settings, terminal, tickets, users
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0001_initial... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying users.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying users.0002_auto_20171225_1157_squashed_0019_auto_20190304_1459... OK
  Applying assets.0001_initial... OK
  Applying perms.0001_initial... OK
  Applying assets.0002_auto_20180105_1807_squashed_0009_auto_20180307_1212... OK
  Applying assets.0010_auto_20180307_1749_squashed_0019_auto_20180816_1320... OK
  Applying perms.0002_auto_20171228_0025_squashed_0009_auto_20180903_1132... OK
  Applying perms.0003_action... OK
  Applying perms.0004_assetpermission_actions... OK
  Applying assets.0020_auto_20180816_1652... OK
  Applying assets.0021_auto_20180903_1132... OK
  Applying assets.0022_auto_20181012_1717... OK
  Applying assets.0023_auto_20181016_1650... OK
  Applying assets.0024_auto_20181219_1614... OK
  Applying assets.0025_auto_20190221_1902... OK
  Applying assets.0026_auto_20190325_2035... OK
  Applying applications.0001_initial... OK
  Applying perms.0005_auto_20190521_1619... OK
  Applying perms.0006_auto_20190628_1921... OK
  Applying perms.0007_remove_assetpermission_actions... OK
  Applying perms.0008_auto_20190911_1907... OK
  Applying assets.0027_auto_20190521_1703... OK
  Applying assets.0028_protocol... OK
  Applying assets.0029_auto_20190522_1114... OK
  Applying assets.0030_auto_20190619_1135... OK
  Applying assets.0031_auto_20190621_1332... OK
  Applying assets.0032_auto_20190624_2108... OK
  Applying assets.0033_auto_20190624_2108... OK
  Applying assets.0034_auto_20190705_1348... OK
  Applying assets.0035_auto_20190711_2018... OK
  Applying assets.0036_auto_20190716_1535... OK
  Applying assets.0037_auto_20190724_2002... OK
  Applying assets.0038_auto_20190911_1634... OK
  Applying perms.0009_remoteapppermission_system_users... OK
  Applying applications.0002_remove_remoteapp_system_user... OK
  Applying applications.0003_auto_20191210_1659... OK
  Applying applications.0004_auto_20191218_1705... OK
  Applying assets.0039_authbook_is_active... OK
  Applying assets.0040_auto_20190917_2056... OK
  Applying assets.0041_gathereduser... OK
  Applying assets.0042_favoriteasset... OK
  Applying assets.0043_auto_20191114_1111... OK
  Applying assets.0044_platform... OK
  Applying assets.0045_auto_20191206_1607... OK
  Applying assets.0046_auto_20191218_1705... OK
  Applying assets.0047_assetuser... OK
  Applying assets.0048_auto_20191230_1512... OK
  Applying assets.0049_systemuser_sftp_root... OK
  Applying audits.0001_initial... OK
  Applying audits.0002_ftplog_org_id... OK
  Applying audits.0003_auto_20180816_1652... OK
  Applying audits.0004_operatelog_passwordchangelog_userloginlog... OK
  Applying audits.0005_auto_20190228_1715... OK
  Applying audits.0006_auto_20190726_1753... OK
  Applying audits.0007_auto_20191202_1010... OK
  Applying audits.0008_auto_20200508_2105... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying authentication.0001_initial... OK
  Applying authentication.0002_auto_20190729_1423... OK
  Applying authentication.0003_loginconfirmsetting... OK
  Applying captcha.0001_initial... OK
  Applying common.0001_initial... OK
  Applying common.0002_auto_20180111_1407... OK
  Applying common.0003_setting_category... OK
  Applying common.0004_setting_encrypted... OK
  Applying common.0005_auto_20190221_1902... OK
  Applying common.0006_auto_20190304_1515... OK
  Applying django_cas_ng.0001_initial... OK
  Applying django_celery_beat.0001_initial... OK
  Applying django_celery_beat.0002_auto_20161118_0346... OK
  Applying django_celery_beat.0003_auto_20161209_0049... OK
  Applying django_celery_beat.0004_auto_20170221_0000... OK
  Applying django_celery_beat.0005_add_solarschedule_events_choices_squashed_0009_merge_20181012_1416... OK
  Applying django_celery_beat.0006_periodictask_priority... OK
  Applying jms_oidc_rp.0001_initial... OK
  Applying ops.0001_initial... OK
  Applying ops.0002_celerytask... OK
  Applying ops.0003_auto_20181207_1744... OK
  Applying ops.0004_adhoc_run_as... OK
  Applying ops.0005_auto_20181219_1807... OK
  Applying ops.0006_auto_20190318_1023... OK
  Applying ops.0007_auto_20190724_2002... OK
  Applying ops.0008_auto_20190919_2100... OK
  Applying ops.0009_auto_20191217_1713... OK
  Applying ops.0010_auto_20191217_1758... OK
  Applying ops.0011_auto_20200106_1534... OK
  Applying ops.0012_auto_20200108_1659... OK
  Applying ops.0013_auto_20200108_1706... OK
  Applying ops.0014_auto_20200108_1749... OK
  Applying ops.0015_auto_20200108_1809... OK
  Applying ops.0016_commandexecution_org_id... OK
  Applying ops.0017_auto_20200306_1747... OK
  Applying ops.0018_auto_20200509_1434... OK
  Applying orgs.0001_initial... OK
  Applying orgs.0002_auto_20180903_1132... OK
  Applying orgs.0003_auto_20190916_1057... OK
  Applying users.0020_auto_20190612_1825... OK
  Applying users.0021_auto_20190625_1104... OK
  Applying users.0022_auto_20190625_1105... OK
  Applying users.0023_auto_20190724_1525... OK
  Applying users.0024_auto_20191118_1612... OK
  Applying perms.0010_auto_20191218_1705... OK
  Applying sessions.0001_initial... OK
  Applying settings.0001_initial... OK
  Applying terminal.0001_initial... OK
  Applying terminal.0002_auto_20171228_0025_squashed_0009_auto_20180326_0957... OK
  Applying terminal.0010_auto_20180423_1140... OK
  Applying terminal.0011_auto_20180807_1116... OK
  Applying terminal.0012_auto_20180816_1652... OK
  Applying terminal.0013_auto_20181123_1113... OK
  Applying terminal.0014_auto_20181226_1441... OK
  Applying terminal.0015_auto_20190923_1529... OK
  Applying terminal.0016_commandstorage_replaystorage... OK
  Applying terminal.0017_auto_20191125_0931... OK
  Applying terminal.0018_auto_20191202_1010... OK
  Applying terminal.0019_auto_20191206_1000... OK
  Applying terminal.0020_auto_20191218_1721... OK
  Applying terminal.0021_auto_20200213_1316... OK
  Applying terminal.0022_session_is_success... OK
  Applying terminal.0023_command_risk_level... OK
  Applying tickets.0001_initial... OK
  Applying users.0025_auto_20200206_1216... OK
  Applying users.0026_auto_20200508_2105... OK
  Applying users.0027_auto_20200616_1503... OK
2020-06-23 14:14:12 Collect static files
2020-06-23 14:14:18 Collect static files done

- Start Celery as Distributed Task Queue: Ansible

- Start Celery as Distributed Task Queue: Celery

- Start Beat as Periodic Task Scheduler

- Start Flower as Task Monitor

- Start Daphne ASGI WS Server
gunicorn is running: 3881
celery_ansible is running: 3892
celery_default is running: 3896
beat is running: 3900
flower is running: 3904
daphne is running: 3908
  • Jumpserver automatic startup settings
echo 'source /opt/py3/bin/activate && /opt/jumpserver/jms start -d' >> /etc/rc.local \
  && chmod +x /etc/rc.d/rc.local

9. Docker deploys KOKO components

systemctl enable docker
systemctl daemon-reload
systemctl restart docker.service
cd /opt
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
  | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
  | head -n 1 | cut -d / -f1` \
  && echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
  && echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
  -p 2222:2222 -p 127.0.0.1:5000:5000 \
  -e CORE_HOST=http://$Server_IP:8080 \
  -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
  -e LOG_LEVEL=ERROR \
  --restart=always \
  jumpserver/jms_koko:2.0.1

10. Docker deploy Guacamole components

cd /opt
docker run --name jms_guacamole -d \
  -p 127.0.0.1:8081:8080 \
  -e JUMPSERVER_SERVER=http://$Server_IP \
  -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
  -e GUACAMOLE_LOG_LEVEL=ERROR \
  jumpserver/jms_guacamole:2.0.1
  • Check Docker status
docker ps -a
CONTAINER ID        IMAGE                            COMMAND             CREATED              STATUS              PORTS                                              NAMES
36a58481a02e        jumpserver/jms_guacamole:2.0.1   "./entrypoint.sh"   About a minute ago   Up About a minute   127.0.0.1:8081->8080/tcp                           jms_guacamole
7a77d4c2aea4        jumpserver/jms_koko:2.0.1        "./entrypoint.sh"   9 minutes ago        Up 9 minutes        0.0.0.0:2222->2222/tcp, 127.0.0.1:5000->5000/tcp   jms_koko


docker images
REPOSITORY                           TAG                 IMAGE ID            CREATED             SIZE
docker.io/jumpserver/jms_koko        2.0.1               141f4ce1e18c        4 hours ago         356 MB
docker.io/jumpserver/jms_guacamole   2.0.1               b1eecc36e7a2        4 hours ago         659 MB

11. Lina component deployment

cd /opt
wget http://demo.jumpserver.org/download/lina/2.0.1/lina.tar.gz
tar -xf lina.tar.gz
chown -R nginx:nginx lina

12. Luna component deployment

cd /opt
wget http://demo.jumpserver.org/download/luna/2.0.1/luna.tar.gz
tar -xf luna.tar.gz
chown -R nginx:nginx luna

13. Nginx integrates the configuration of each component

# nginx默认配置
cat > /usr/local/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
 
include /usr/share/nginx/modules/*.conf;
 
events {
    worker_connections 1024;
}
 
http {
    log_format  main  '\$remote_addr - \$remote_user [\$time_local] "\$request" '
                      '\$status \$body_bytes_sent "\$http_referer" '
                      '"\$http_user_agent" "\$http_x_forwarded_for"';
 
    access_log  /var/log/nginx/access.log  main;
 
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
 
    include             /usr/local/nginx/mime.types;
    default_type        application/octet-stream;
 
    include /usr/local/nginx/conf.d/*.conf;
}
 
EOF

# 清空默认虚拟主机配置
echo > /etc/nginx/conf.d/default.conf

# jumpserver虚拟主机配置
vi /etc/nginx/conf.d/jumpserver.conf

server {
    
    
    listen 80;

    client_max_body_size 500m;  # 录像及文件上传大小限制

    location /ui/ {
    
    
        try_files $uri / /index.html;
        alias /opt/lina/;
    }

    location /luna/ {
    
    
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
    }

    location /media/ {
    
    
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # 录像位置, 如果修改安装目录, 此处需要修改
    }

    location /static/ {
    
    
        root /opt/jumpserver/data/;  # 静态资源, 如果修改安装目录, 此处需要修改
    }

    location /koko/ {
    
    
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /guacamole/ {
    
    
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
    }

    location /ws/ {
    
    
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/ {
    
    
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /core/ {
    
    
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
    
    
        rewrite ^/(.*)$ /ui/$1 last;
    }
}
  • Service start
systemctl enable nginx
systemctl start nginx
systemctl status nginx
nginx -t
nginx -s reload

14. Jumpserver login verification

Default account and password: admin
Insert picture description here

Insert picture description here

Safety advice

  1. A firewall is placed on the front of JumpServer to prohibit unnecessary port access. External access only needs to open ports 80 and 2222. If SSL is configured, port 443 needs to be opened.
  2. The operating system of the server where JumpServer resides should be upgraded to the latest.
  3. The software that JumpServer relies on prohibits weak passwords and default passwords, and regularly updates the software to the latest version.
  4. It is recommended to enable the MFA function to avoid security problems caused by password leakage

Other supplements

  1. Docker solves "net/http: TLS handshake timeout"
    This problem is caused by some indescribable network problems, and can be solved by the following methods.
vi /etc/docker/daemon.json
{
    
     "registry-mirrors": ["https://registry.docker-cn.com","https://pee6w651.mirror.aliyuncs.com"] }

service docker restart
  1. IPv6 feature service disabled
# 内核参数禁用
echo "net.ipv4.ip_forward=1" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysconfig/network
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
sysctl -p

# 启动参数禁用
vi /etc/default/grub
GRUB_CMDLINE_LINUX="ipv6.disable=1 ..."
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
  1. Koko component is abnormal and cannot be used normally
  • Koko component log query:
docker logs -f jms_koko
  • Koko component reconstruction method Since the
    koko component is deployed in Docker, there is no problem that cannot be solved by reconstruction. If so, then the Nginx configuration is incorrect, please check the Nginx configuration.
cd /opt
docker stop jms_koko
docker rm jms_koko
Server_IP=`ip addr | grep 'state UP' -A2 | grep inet \
  | egrep -v '(127.0.0.1|inet6|docker)' | awk '{print $2}' | tr -d "addr:" \
  | head -n 1 | cut -d / -f1` \
  && echo -e "\033[31m 你的服务器IP是 $Server_IP \033[0m" \
  && echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
docker run --name jms_koko -d \
  -p 2222:2222 -p 127.0.0.1:5000:5000 \
  -e CORE_HOST=http://$Server_IP:8080 \
  -e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
  -e LOG_LEVEL=ERROR \
  --restart=always \
  jumpserver/jms_koko:2.0.1

Guess you like

Origin blog.csdn.net/weixin_38623994/article/details/106920048
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com