Table of contents
1. Why does the website architecture need a springboard machine and a bastion machine
2. The concept of springboard machine and bastion machine
The role of the bastion machine:
The function of the bastion host
3. Jumpserver server deployment
1. Prepare the environment and close the firewall
2. Configure the yum source and prepare the yum source of Alibaba Cloud
3. Install the system initialization environment
5. Modify the character set of the system and change it to Chinese
6.1. Download the mysql5.6 version from the official website
6.2. Decompress the data package
6.3. Modify some mysql configuration files
6.5. After logging in to the database, create the user information required to run jumpserver (and change the character encoding to utf8 to support Chinese)
6.6. Create a user (@ placeholder, % allows users to log in anywhere, identified by specifying a password)
6.7. Grant permissions to the user
7.1. Download the source code of python3.6
7.2. Decompress and compile the python installation package
7.3. Configure environment variables for python3
7.4. Create a virtual environment for python3
------Note that if such an error occurs when creating a virtual environment ------
7.5. Replace the source of pip3
7.6. Install the pip3 install virtualenv module again
7.7. Activate virtual python3.6
8.2. Start the verification service
9. Deploy the jumpserver service
9.1. Download the code of the jumpserver program
9.2. Unzip the source code and install the dependent software required by jumpserver
9.3. Install the modules required to run jumpserver
9.4. Modify the jumpserver configuration file
10. Perform database migration for python programs
10.1, first enter mysql to check the library
10.2, jumpserver background program, database migration command
------Note that if such an error occurs during database migration------
Run python3 /opt/jumpserver/apps/manage.py makemigrations again, the problem is solved! ! ! !
10.3. Continue to the next step, database migration command 2
10.4, enter mysql to verify the data in the database
10.5. Start the jumpserver service
11. Deploy CoCo/koko components
11.1. Download koko components
12.1. Deploy Guacamole components
12.2. Some software packages required for installing guacamole components
12.4. Compile and install guacamole
12.5. Install java development environment
12.6. Create the folder needed to run guacamole
12.7. Download the tomcat tool to run the java project
12.8. Set the operating environment of guacamole
12.9. Start the guacamole service
13.1. Download the lina component code
14. luna component installation
14.1. Download luna components
15. Install and modify nginx configuration files
15.1, install here choose manual compilation
16. Visit the jumpserveer for verification
1. Why does the website architecture need a springboard machine and a bastion machine
In order to ensure the security of server groups, such as nginx load balancing servers, web cluster application-level services (tomcat, java, php), and databases, these servers are generally not exposed directly to the public network, so we pass VPN technology makes it impossible for the external network to directly access the internal network. The server runs on the internal network and hides behind the firewall, which guarantees security to the greatest extent. So how to ensure server security in the enterprise intranet. In order to prevent non-cloud operation and maintenance personnel from wrongly operating the company's internal servers and causing losses, then we need to use a springboard machine. Even if the company's internal personnel need to operate the server, they must be verified. And after connecting to the springboard, all login and operation records will be recorded.
2. The concept of springboard machine and bastion machine
Springboard machine:
The springboard machine is just a server. When the operation and maintenance personnel use the management server, they must first connect to the springboard machine, and then they can control the server in the intranet and log in to the target device for maintenance and operation. The springboard machine belongs to the category of the intranet bastion machine, and is a host application system for single sign-on. The disadvantage of the springboard machine is that it only realizes the security of server login, but it does not realize the behavior control and auditing of operation and maintenance developers. Using the springboard machine may make wrong operations on the server, and it is difficult to locate the operator.
Fortress machine:
Combined with the advantages of the springboard machine, and can record the operator and records, the bastion machine can create a system account. The system account function is a role of role distinction, but it cannot confirm the executor of the account.
The role of the bastion machine:
Due to the lack of springboard machines, enterprises need newer, better, and safer technical concepts to manage the operation and maintenance of servers. They need a technology that can meet the requirements of role management, role authorization, information resource access control, operation records and auditing, and system changes. It is an it bastion machine that can meet the requirements of maintenance control and other functions, and can also generate server asset statistics reports.
1. Core system operation and maintenance and security audit management
2. Filter and intercept non-request access, malicious attacks, reject illegal orders, monitor audit ports, call the police and track responsibility
3. Alarm, recording, analysis, processing
Bastion machine module
The function of the bastion host
1. Single sign-on function
2. Account management function
3. Identity authentication
4. Resource authorization
5. Access control
jumperserver official website
https://docs.jumpserver.org/zh/master/
3. Jumpserver server deployment
安装前,需要知道:
虚拟机配置:2cpu 4核 4g内存 50g硬盘
预制环境软件
python = 3.6.x
mysql server 版本必须大于5.6
redis数据库 缓存型数据库1. Prepare the environment and close the firewall
[root@jumpserver sbin]# systemctl stop firewalld
[root@jumpserver sbin]# systemctl disable firewalld
[root@jumpserver sbin]# setenforce 0
[root@jumpserver sbin]# vim /etc/selinux/config
2. Configure the yum source and prepare the yum source of Alibaba Cloud
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache ##Clear cache, rewrite and build yum warehouse
3. Install the system initialization environment
yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel gcc zlib zlib-devel
yum -y install git python-pip gcc automake autoconf python-devel vim sshpass lrzsz readline-devel
#git Get the jumpserver code, which is downloaded from one of the world's largest code hosting platforms, github
5. Modify the character set of the system and change it to Chinese
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
#Temporary modification
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf #Permanent modification
ls --help #If you see Chinese, it means the configuration is successful
6. Deploy mysql5.6 database
6.1. Download the mysql5.6 version from the official website
wget https://cdn.mysql.com//Downloads/MySQL-5.6/MySQL-5.6.49-1.el7.x86_64.rpm-bundle.tar
6.2. Decompress the data package
yum localinstall ./* #Automatically handle dependency installation
This will automatically install
6.3. Modify some mysql configuration files
vim /etc/my.cnf #Modify the main configuration file of the database, usually by default
6.4, myql is initialized
cat /root/.mysql_secret #View the initial password of the database
mysqladmin -u root -p password #Modify the password, I changed it to 123456 here
mysql -u root -p123456 #login
6.5. After logging in to the database, create the user information required to run jumpserver (and change the character encoding to utf8 to support Chinese)
mysql> create database jumpserver default charset 'utf8' collate 'utf8_bin';
Query OK, 1 row affected (0.00 sec)
6.6. Create a user (@ placeholder, % allows users to log in anywhere, identified by specifying a password)
mysql> create user 'jumpserver'@'%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.01 sec)
6.7. Grant permissions to the user
mysql> grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by '123456';
Query OK, 0 rows affected (0.00 sec)
Refresh to make the current configuration take effect immediately
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
At this point, mysql deployment is complete
7. Deploy python3.6
7.1. Download the source code of python3.6
wget https://www.python.org/ftp/python/3.6.10/Python-3.6.10.tgz
7.2. Decompress and compile the python installation package
tar -xvf Python-3.6.10.tgz
cd Python-3.6.10/ #Enter the source package
./confiure --prefix=/usr/local/python3 #Compile the installation package and specify the installation directory of python3
make -j3 && make install #installation
7.3. Configure environment variables for python3
echo "PATH="/usr/local/python3/bin:$PATH"" >> /etc/profile #Add environment
source /etc/profile #Refresh the environment
## Then enter python3.6 on the command line to enter (quit() to exit)
7.4. Create a virtual environment for python3
The virtual environment is created to deal with the scenario of the same version of py and different modules required by multiple applications in one service area.
The pip3 here is in the py3 version, which is used to install modules in third-party libraries. If you don't have pip3, please install it first.
pip3 install virtualenv
------Note that if such an error occurs when creating a virtual environment ------
error reason
Install the virtual environment tool, but usually when we install the python3 module, because of the lack of ssl, python3 cannot be used. The solution is as follows.
Solution
Delete the compiled and installed python3, then install the openssl tool, and then recompile and install python3.
vim /etc/profile #First comment out the previously configured environment
rm -rf /usr/local/python3/ #Delete the previously installed python
The python3 installed in this way is completely deleted
yum install openssl openssl-devel -y
After installation, compile and install python
./configure --prefix=/usr/local/python3.6
make -j3 && make install
7.5. Replace the source of pip3
Because the default pip3 source is the official source of py abroad, here we replace it with Ali's source warehouse
mkdir /root/.pip
touch /root/.pip/pip.conf
vim /root/.pip/pip.conf
######### Write the following content into ###########
[global]
index-url = https://mirrors.aliyun.com/pypi/simple/
7.6. Install the pip3 install virtualenv module again
pip3 install virtualenv #Install the virtual tool module
successfully downloaded
Create another python3 interpreter using dummy tools to allow the code
cd /usr/local
virtualenv --python=python3 jmp_venvl
#virtualenv virtualization tool --python specify py version jmp_venvl rename
Created.
In this way, the interpreter body is: /usr/local/python3.6/bin/python3.6
The virtual interpreter is: /usr/local/jum_venel/bin/python3
7.7. Activate virtual python3.6
source /usr/local/jum_venel/bin/activate #Modify environment variables by default
The which command can check the current software environment to prove whether it is changed to a virtual environment.
deactivate #Exit the current virtual environment
Now back to the original environment
8. Deploy the redis database
Mysql relational database, disk-type database, data is stored in the form of files on the disk, and can be stored for a long time.
Redis memory-type database, cache-type database, he is faster than mysql, can accelerate the speed of users, and make the performance of the entire web architecture better.
8.1. Install redis database
#Because the source library of Alibaba Cloud has been configured before, and the redis database version here does not need to be required, so direct yum installation
yum -y install redis
8.2. Start the verification service
systemct start redis
redis-cli #Enable service (default connection local, ip plus port is a service)
Then to verify whether it can be used normally, we enter ping
[root@jumpserver jum_venel]# redis-cli
127.0.0.1:6379>
127.0.0.1:6379>
127.0.0.1:6379>
127.0.0.1:6379> ping
PONG
127.0.0.1:6379>
When the redis database returns a PONG, it proves that it can be started normally and can be used
At this point, the redis deployment is over
9. Deploy the jumpserver service
A background program basically needs to rely on the database to allow it. When the background program is started again, the code will connect to the database to ensure that the database is started correctly and can be connected correctly, otherwise the background program will not start.
9.1. Download the code of the jumpserver program
wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz
9.2. Unzip the source code and install the dependent software required by jumpserver
tar -zxvf jumpserver-v2.1.0.tar.gz # After decompression, you can create a soft link for it to find
ln -s /opt/jumpserver-v2.1.0 jumpserver
install dependencies
yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel
Some software has already been installed on it, in order to prevent omissions, install it again
9.3. Install the modules required to run jumpserver
Due to the program developed by py, some modules used by the program must be installed to run correctly
cd /opt/jumpserver/requirements/ #The requirements.txt contains the required py modules
requirements.txt content
Note: To install the jumperserver module, you must ensure that you are in the virtual environment of py3, and you must activate the environment before installing! !
Note: To install the jumperserver module, you must ensure that you are in the virtual environment of py3, and you must activate the environment before installing! !
source /usr/local/jum_venel/bin/activate ##Activate virtual environment
pip3 install -r /opt/jumpserver/requirements/requirements.txt
# pip3 install -r Install multiple modules at once, install all packages in requirements.txt
9.4. Modify the jumpserver configuration file
/opt/jumpserver #Enter the source package, where config_example.yml is his configuration file
cp config_example.yml config.yml #Copy a copy and modify the file name
Check out some good info in the comprehension config file
egrep -v "^#|^$" config.yml #Extract except the preceding # and blank lines
(jum_venel) [root@jumpserver jumpserver]# egrep -v "^#|^$" config.yml
SECRET_KEY: #需要填密钥
BOOTSTRAP_TOKEN: #也是一个密钥
DB_ENGINE: mysql #使用的数据库是什么
DB_HOST: 127.0.0.1 #默认的IP地址
DB_PORT: 3306 #默认端口
DB_USER: jumpserver #默认的用户就是我们在数据库那步创建的user
DB_PASSWORD: #数据库的密码
DB_NAME: jumpserver #数据库用户名
HTTP_BIND_HOST: 0.0.0.0 #jumpserver运行的地址,写的0表示绑定这台机器对内对外所有的IP,如果是在公网的jumpserver会很危险
HTTP_LISTEN_PORT: 8080 #jumpserver后台启动的地址
WS_LISTEN_PORT: 8070 #WEB SOCKET
REDIS_HOST: 127.0.0.1 # 默认redis的IP
REDIS_PORT: 6379 #默认redis的端口
We first need to generate the following two keys
SECRET_KEY:
BOOTSTRAP_TOKEN:
Generate SECRET_KEY key
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` ; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi
Generate TOKEN key
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi
vim config.yml #Enter the above two keys
At this point, the configuration file modification is complete
10. Perform database migration for python programs
Jumpserver is a program developed by python's web framework django. Data migration must be performed first to generate library table information before the program can be run.
10.1, first enter mysql to check the library
(jum_venel) [root@jumpserver jumpserver]# mysql -uroot -p123456
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.6.49 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; #查看数据库
+--------------------+
| Database |
+--------------------+
| information_schema |
| jumpserver |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.01 sec)
mysql> use jumpserver #进入到jumpserver这库中
Database changed
mysql> show tables; #查看库中的表
Empty set (0.00 sec) #表中无数据
mysql>
10.2, jumpserver background program, database migration command
Note: The process must be carried out in the py virtual environment
cd /opt/jumpserver/apps #Enter the apps in the source directory
This manage.py is a py script program, which is the entry point of the py program background setting. We use py3 to execute and add parameters
python3 /opt/jumpserver/apps/manage.py makemigrations
------Note that if such an error occurs during database migration------
(jum_venel) [root@jumpserver apps]# python3 manage.py makemigrations
Traceback (most recent call last):
File "manage.py", line 28, in <module>
execute_from_command_line(sys.argv)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
utility.execute()
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/__init__.py", line 375, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/base.py", line 323, in run_from_argv
self.execute(*args, **cmd_options)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/base.py", line 364, in execute
output = self.handle(*args, **options)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/base.py", line 83, in wrapped
res = handle_func(*args, **kwargs)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/core/management/commands/makemigrations.py", line 101, in handle
loader.check_consistent_history(connection)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/migrations/loader.py", line 283, in check_consistent_history
applied = recorder.applied_migrations()
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/migrations/recorder.py", line 73, in applied_migrations
if self.has_table():
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/migrations/recorder.py", line 56, in has_table
return self.Migration._meta.db_table in self.connection.introspection.table_names(self.connection.cursor())
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/backends/base/base.py", line 256, in cursor
return self._cursor()
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/backends/base/base.py", line 233, in _cursor
self.ensure_connection()
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/backends/base/base.py", line 217, in ensure_connection
self.connect()
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/backends/base/base.py", line 195, in connect
self.connection = self.get_new_connection(conn_params)
File "/usr/local/jum_venel/lib/python3.6/site-packages/django/db/backends/mysql/base.py", line 227, in get_new_connection
return Database.connect(**conn_params)
File "/usr/local/jum_venel/lib/python3.6/site-packages/MySQLdb/__init__.py", line 85, in Connect
return Connection(*args, **kwargs)
File "/usr/local/jum_venel/lib/python3.6/site-packages/MySQLdb/connections.py", line 208, in __init__
super(Connection, self).__init__(*args, **kwargs2)
TypeError: connect() argument 3 must be str, not int
Pay attention to [TypeError: connect() argument 3 must be str, not int] The last sentence reports a type error, saying that the str string type is required, but here is an int integer. So it was wrong.
main reason
The main reason is that in our previous config.yml configuration file, the password of the database was set to a pure number 123456, and the pure number password is int type, so it is not supported.
Solution
(jum_venel) [root@jumpserver apps]# mysqladmin -ujumpserver -p password
Enter password:
New password:
Confirm new password:
Here, re-edit the password of the database jumpserver user, and then change the config.yml database password.
Run python3 /opt/jumpserver/apps/manage.py makemigrations again, the problem is solved! ! ! !
python3 /opt/jumpserver/apps/manage.py makemigrations
10.3. Continue to the next step, database migration command 2
python3 /opt/jumpserver/apps/manage.py migrate
Completed without error
10.4, enter mysql to verify the data in the database
You will find that there is a lot more data, and the data migration is complete.
10.5. Start the jumpserver service
cd /opt/jumpserver
This jms is the startup file
/opt/jumpserver/jms start -d #-d means running in the background
ps -ef | grep 116809 #Check the working process
This means that the program has successfully run;
Let's go to the browser to verify it.
The picture here is still a bit rough, because we need to use the nginx reverse proxy to finally use this program.
11. Deploy CoCo/koko components
The koko component implements the components of SSH Server and Web Terminal Server, improves SSH and WebSocket interfaces, and uses Paramiko and Flask to develop, allowing us to type commands on the web page online like xshell. It is developed by the golang programming language. Compared with the previous coco components (written in py), the performance is higher.
11.1. Download koko components
wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz
The installation is complete
11.2. Unzip koko
tar -zxvf koko-v2.1.0-linux-amd64.tar.gz
cd grandfather-v2.1.0-linux-amd64/
Modify koko configuration file information
cp config_example.yml config.yml #copy the configuration file;
vim config.yml
A total of these two places were modified
11.3. Start the koko program
./koko -d #Start the service
This is enabled, we can also check the koko log to see if it is enabled correctly
12. Install Guacamole
The Apache springboard project, Jumpserver uses other components to implement the RDP function. Jumpserver does not modify other codes but adds additional plug-ins to support Jumpserver calls. (RDP here is the remote desktop protocol, and the background server can be operated through the browser)
12.1. Deploy Guacamole components
Here I have prepared the image installation package, if you need it, you can private message me, and I will send it to you.
tar -xvf guacamole-v2.1.0.tar.gz #Decompression
We enter the decompressed package
There will be a lot of other packages inside, we also need to decompress them.
tar -zxvf guacamole-server-1.2.0.tar.gz
tar -zxvf ssh-forward.tar.gz
12.2. Some software packages required for installing guacamole components
cd guacamole-server-1.2.0/ #Enter the source package
#You need to install the dependent environment before compiling
yum -y install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel libtool uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaydio-libs-devel openssl-devel libvorbis-devel libwebp-devel
12.3. Install FFmpeg tool
The ffmpeg tool is used to process media files such as: audio, video
yum -y install epel-release
rpm -v --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum -y install ffmpeg ffmpeg-devell
12.4. Compile and install guacamole
cd /opt/docker-guacamole-2.1.0/guacamole-server-1.2.0 #Enter the source package
./configure --with-init-dir=/etc/init.d #Compile
make && make install
This completes the installation
12.5. Install java development environment
yum -y install java-1.8.0-openjdk #Install java development environment
12.6. Create the folder needed to run guacamole
mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive && \
chown daemon:daemon /config/guacamole/record /config/guacamole/drive && \
cd /config
12.7. Download the tomcat tool to run the java project
Here I have it myself, I just dragged it in and installed it
cd /opt && \
tar -xf apache-tomcat-9.0.65.tar.gz && \
mv apache-tomcat-9.0.65 tomcat9 &&\
rm -rf /opt/tomcat9/webapps/* && \
sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat9/conf/server.xml && \
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /opt/tomcat9/conf/logging.properties && \
ln -sf /opt/docker-guacamole-2.1.0/guacamole-1.0.0.war /opt/tomcat9/webapps/ROOT.war && \
ln -sf /opt/docker-guacamole-2.1.0/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar &&\
ln -sf /opt/docker-guacamole-2.1.0/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
Input these configurations to the command line, the operation here is mainly
Unzip tomcat and rename it tomcat9
Delete resource files in webapps in tomcat
Change the tomcat default port to 8081
The rest is to establish soft links
12.8. Set the operating environment of guacamole
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=Ovn181zT7q7a8Die
echo "export B00TSTRAP_TOKEN=Ovn181zT7q7a8Die" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc
Parameter meaning:
JUMPSERVER_SERVER refers to the address accessed by the core
BOOTSTARAP_TOKEN must be changed to your own, if you forget it, go to config.yml under jumpserver to find it
JUMPSERVER_KEY_DIR Key storage directory after successful authentication
GUACAMOLE_HOME is the directory where the guacamole.properties configuration file is located
GUACAMOLE_LOG_LEVEL is the log level generated
JUMPSERVER_ENABLE_DRIVE mount shared disk for rdp protocol
12.9. Start the guacamole service
/etc/init.d/guacd start #Start service
12.10. Start tomcat service
/opt/tomcat9/bin/startup.sh
13. Lina component deployment
Lina belongs to the front-end module and is responsible for the display of the page
13.1. Download the lina component code
wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz
13.2. Unzip the lina package
tar -zxvf lina-v2.1.0.tar.gz
mv lina-v2.1.0 lina #Rename for easy use
chown -R nginx:nginx lina #Change his owner and group, let him be managed by nginx
14. luna component installation
Luna is now the front-end of the web terminal, and the front-end page of the plan is provided by this project. jumpserver only provides api, and is no longer responsible for rendering html in the background. It can be combined with lina to realize the terminal of the command line interface on the web page.
14.1. Download luna components
wget https://github.com/jumpserver/luna/releases/download/v2.1.1/luna-v2.1.1.tar.gz
14.2. Unzip after downloading
tar -zxvf luna-v2.1.1.tar.gz
mv luna-v2.1.1 luna #Rename
15. Install and modify nginx configuration files
15.1, install here choose manual compilation
Nginx compilation and installation + monitoring module vts_IT.cat's blog - CSDN Blog
15.2. Configure nginx
Nginx works great for static files and as a reverse proxy for jumpserver daemons
vim /usr/local/nginx/conf/nginx.conf
We only modify the whole modification in the server block, and the other defaults remain unchanged
server {
listen 80;
client_max_body_size 100m; #录像和文件上传大小限制
#charset koi8-r;
#access_log logs/host.access.log main;
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; #luna路径,如果修改安装目录,此处需要修改
}
location /media/ { #静态文件处理
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; #录像位置,如果修改安装目录,此处需要修改
}
location /static/ {
root /opt/jumpserver/data/;
}
location /koko/ { #当我们请求koko,他会通过proxy_pass进行反向代理
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/{
proxy_pass http://localhost:8081/ ;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/{
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/{
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}16. Visit the jumpserveer for verification
Visit http://your own IP:80
We will find that when we access port 80, he will automatically jump to the better visual interface provided by lina
The default username and password here are both admin
This is the effect after entering. If you can see this page, it means that your jumpserver is deployed successfully.
Summarize:
In the whole deployment situation, we must install the compilation environment completely. If there are many things to install, we must ensure our own network environment. Usually, even if there are network fluctuations during the installation process, don’t panic. Delete the incompletely downloaded files and download them again. Can.
When we install jumpserver, we must ensure that the installation is allowed in the py3 virtual environment, because we may need to use different py3 modules when deploying different py3-based applications. In order to avoid conflicts, we create different py3 virtual environments to avoid This kind of problem. The py3 environment I created here is in /usr/local/jump_venv1.
The intermediate deployment configuration needs to be careful, and the process is relatively complicated. Common errors are explained in this article.
Some software packages in the article are not available, you can send them to everyone for free by private message