In order to prevent non-cloud operation and maintenance personnel from wrongly operating the company's internal servers and causing losses, then we need to use a springboard machine. Even if the company's internal personnel need to operate the server, they must be verified. And after connecting to the springboard, all login and operation records will be recorded.

Springboard machine:
The springboard machine is just a server. When the operation and maintenance personnel use the management server, they must first connect to the springboard machine, and then they can control the server in the intranet and log in to the target device for maintenance and operation. The springboard machine belongs to the category of the intranet bastion machine, and is a host application system for single sign-on. The disadvantage of the springboard machine is that it only realizes the security of server login, but it does not realize the behavior control and auditing of operation and maintenance developers. Using the springboard machine may make wrong operations on the server, and it is difficult to locate the operator.

Bastion machine:
Combining the advantages of the springboard machine, and can record the operator and records, the bastion machine can create a system account. The function of the system account is to distinguish roles, but it cannot confirm the executor of the account.

The role of the bastion machine:
Due to the lack of springboard machines, enterprises need newer, better, and more secure technical concepts to manage the operation and maintenance of servers. They need a system that can satisfy role management, role authorization, information resource access control, operation records and Auditing, system change and maintenance controls, and more.

1. Core system operation and maintenance and security audit management

2. Filter and intercept non-request access, malicious attacks, reject illegal orders, monitor audit ports, call the police and track responsibility

3. Alarm, recording, analysis, processing

1.2 Main functions of the bastion host

1. Single sign-on function

2. Account management function

3. Identity authentication

4. Resource authorization

5. Access control

2. Preparation

虚拟机平台：VMware
IP:192.168.132.65 (自定义)
虚拟机配置：1vpcu 1核 2G 40G (测试学习环境，生产环境具体情况而定)
没有特别说明情况下，所有wget或下载的文件默认存储在/opt目录下
python = 3.6.x  Python版本必须3.6及以上
mysql5.7 版本必须大于5.6
redis  缓存型数据库

2.1 Turn off the firewall and SElinux

systemctl stop firewalld
systemctl disable firewalld

关闭selinux，重启后生效
修改/etc/selinux/config 文件
将SELINUX=enforcing改为SELINUX=disabled

1.2 Time Synchronization

date

yum install ntpdate -y
timedatectl set-timezone Asia/Shanghai
ntpdate ntp1.aliyun.com
systemctl enable ntpdate

date  #查看系统时间是否同步准确

1.3 Change the hostname

hostnamectl set-hostname jumpserver

1.4 yum source backup and preparation

mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/    #备份yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum clean all
yum makecache  #清楚缓存，重写建立yum仓库

1.5 Install initial tools

yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel gcc zlib zlib-devel

1.6 Modify the system character set

echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf  #永久修改，无需重启

ls --help can be viewed, and some Chinese characters are displayed to indicate that the repair is successful

1.7 restart

reboot

3. Install MySQL

Install mysql first, otherwise it will be difficult to handle subsequent mysql installation errors, so first ensure that the mysql installation is complete.

3.1 Delete mairadb (CentOS7 comes with mariadb)

The mysql-like database that comes with centos7 is mariadb, which will conflict with mysql and must be deleted first! ! !

3.2 install mysql5.7

cd /opt

wget http://dev.mysql.com/get/mysql-5.7.26-1.el7.x86_64.rpm-bundle.tar
tar -xvf mysql-5.7.26-1.el7.x86_64.rpm-bundle.tar

mkdir mysql
mv mysql-community*.rpm mysql   #移动到mysql目录下

rpm -ivh mysql-community-common-5.7.26-1.el7.x86_64.rpm
rpm -ivh mysql-community-libs-5.7.26-1.el7.x86_64.rpm
rpm -ivh mysql-community-client-5.7.26-1.el7.x86_64.rpm
rpm -ivh mysql-community-server-5.7.26-1.el7.x86_64.rpm

rpm -ivh mysql-community-devel-5.7.26-1.el7.x86_64.rpm （平时安装mysql这个可以省略，但部署jumpserver后续步骤会用到mysql-devel工具）

systemctl start mysqld
systemctl enable mysqld

If the following error is reported, please add the --nodeps attribute, adding this attribute means not checking dependencies.

warning: mysql-community-server-5.7.26-1.el7.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 5072e1f5: NOKEY
error: Failed dependencies:

View the initial password of the root user

grep 'temporary password' /var/log/mysqld.log

If the view password is blank, you need to delete the residual mysql file

rm -rf /var/lib/mysql
systemctl restart mysqld
grep 'temporary password' /var/log/mysqld.log

3.3 Change mysql password and password complexity

mysql -uroot -p
#黏贴刚刚拿到的密码

show variables like 'validate_password%';  #查看密码复杂度

mysql> set global validate_password_length=6;  #长度
mysql> set global validate_password_mixed_case_count=0;  #字符个数
mysql> set global validate_password_special_char_count=0;  #特殊符号个数
mysql> flush privileges;

create database jumpserver default charset 'utf8' collate 'utf8_bin';  #新建名为jumpserver的数据库
set password for 'root'@'localhost' =password('yz123456');  #更改mysql的root用户密码为yz123456
create user 'jumpserver'@'%' IDENTIFIED BY 'yz123456';  #创建mysql用户jumpserver且密码为yz123456

grant all privileges on root.* to 'jumpserver'@'%' identified by 'yz123456';
grant all privileges on jumpserver.* to 'jumpserver'@'%' identified by 'yz123456';  #赋权

Password complexity property explained:

validate_password_length #password length
validate_password_mixed_case_count #number of uppercase and lowercase characters
validate_password_number_count #number of numbers
validate_password_special_char_count #number of special characters

Fourth, install python3.6

4.1 install python3.6

pyhton version must be greater than or equal to 3.6.X

cd /opt
wget https://www.python.org/ftp/python/3.6.10/Python-3.6.10.tgz
tar -xvf Python-3.6.10.tgz

yum install -y openssl openssl-devel  #ssl工具，必须在安装python前安装

cd /opt/Python-3.6.10/
./confiure --prefix=/usr/local/python3.6  #编译并指定python3.6目录
make -j3 && make instal  #编译安装

echo "PATH="/usr/local/python3.6/bin:$PATH"" >> /etc/profile  #添加环境
source /etc/profile  #刷新一下环境
##随后命令行输入python3.6就能进入了（quit()退出）

Note that the results of typing python and python3.6 in the terminal are different. Python2.7 comes with Linux and does not need to be uninstalled, and it will not affect it.

4.2 Replace pip3 source

mkdir /root/.pip
touch /root/.pip/pip.conf
vim /root/.pip/pip.conf

#########将下面的内容写入###########

[global]
index-url = https://mirrors.aliyun.com/pypi/simple/

4.3 Install python virtual environment

The virtual environment is created to deal with the scenario of the same version of py and different modules required by multiple applications in one service area. virtualenv is a python virtualization module tool.

pip3 install virtualenv

cd /usr/local
virtualenv  --python=python3 jmp_venvl

Note that there are two python interpreters at this point

The interpreter body is: /usr/local/python3.6/bin/python3.6

The virtual interpreter is: /usr/local/jmp_venel/bin/python3

Switch python virtual environment

source /usr/local/jmp_venvl/bin/activate  #刷新环境，可以进去python虚拟环境，进入后终端会哟jmp_venvl标识

deactivate  #退出当前的虚拟环境/切换回物理真实环境

At this time, the input python is also version 3.6 instead of 2.7, because it is in the virtual environment at this time.

Five, install redis

yum -y install redis
systemct start redis
systemct enable redis

redis-cli  #验证
[root@jumpserver ~]# redis-cli
127.0.0.1:6379> ping
PONG  #返回PONG证明可以正常启动

6. Deploy jumpserver

6.1 Download and decompress

wget https://github.com/jumpserver/jumpserver/releases/download/v2.1.0/jumpserver-v2.1.0.tar.gz
tar -zxvf jumpserver-v2.1.0.tar.gz
ln -s /opt/jumpserver-v2.1.0 jumpserver

6.2 Install dependencies or tools

yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop  iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel

6.3 Install the py module in the python virtual environment

Note: To install the jumperserver module, you must ensure that you are in the virtual environment of py3, and you must activate the environment before installing! ! !

cd /opt/jumpserver/requirements/
cat /opt/jumpserver/requirements/requirements.txt

source /usr/local/jmp_venvl/bin/activate  #非常重要！！！
pip3 install -r /opt/jumpserver/requirements/requirements.txt

deactivate

pip3 requirements.txt error

No matching distribution found for mysqlclient==1.3.14

It prompts that mysqlclient==1.3.14 cannot be found. There is indeed this item in requirements.txt, and mysql-devel needs to be installed. If you follow my steps to install mysql, this error will not appear. Many posts on the Internet use yum to install, yum install mysql-devel prompts that there is no yum source, because mysql is manually installed, so there is no mysql repo source, we can manually install mysql-devel, if an error is reported, add the --nodeps attribute.

###解决方法###
cd /opt/mysql
rpm -ivh mysql-community-devel

6.4 Get SECRET_KEY, BOOTSTRAP_TOKEN secret key

These two keys are needed in the next steps

#获取SECRET_KEY
if [ "$SECRET_KEY" = "" ]; then SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` ; echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; echo $SECRET_KEY; else echo $SECRET_KEY; fi

#获取BOOTSTRAP_TOKEN
if [ "$BOOTSTRAP_TOKEN" = "" ]; then BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`; echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; echo $BOOTSTRAP_TOKEN; else echo $BOOTSTRAP_TOKEN; fi

SECRET_KEY: UtsbR8W5fJ81M4s6k0vcITUiASsHOTRKOIq0KvCnzzXupQpqcp BOOTSTRAP_TOKEN: 1iTfoBKVFv13PtSg

6.5 Change the jumpserver configuration file

cd /opt/jumpserver
cp config_example.yml config.yml  #example是配置文件模板，真正生效的配置文件是config.yml
vim config.yml

#将刚刚两个密钥填入，并填一下数据库密码"yz123456"

egrep -v "^#|^$" config.yml can remove the comment content and blank lines before displaying, and can view the effective information of the configuration file concisely. The two keys here need to be changed to yours, fill in the database password, and the others do not need to be changed.

[root@jumpserver jumpserver]# cd /opt/jumpserver
[root@jumpserver jumpserver]# egrep -v "^#|^$" config.yml
SECRET_KEY: UtsbR8W5fJ81M4s6k0vcITUiASsHOTRKOIq0KvCnzzXupQpqcp  #KEY
BOOTSTRAP_TOKEN: 1iTfoBKVFv13PtSg                               #TOKEN
DB_ENGINE: mysql     #使用的数据库是什么
DB_HOST: 127.0.0.1   #默认的IP地址
DB_PORT: 3306        #默认端口
DB_USER: jumpserver      #默认的用户就是我们在数据库那步创建的user
DB_PASSWORD:yz123456     #数据库的密码
DB_NAME: jumpserver      #数据库用户名
HTTP_BIND_HOST: 0.0.0.0  #jumpserver运行的地址，写的0表示绑定这台机器对内对外所有的IP，如果是在公网的jumpserver会很危险
HTTP_LISTEN_PORT: 8080   #jumpserver后台启动的地址
WS_LISTEN_PORT: 8070     #WEB SOCKET
REDIS_HOST: 127.0.0.1    # 默认redis的IP
REDIS_PORT: 6379         #默认redis的端口

7. Data Migration

Jumpserver is a program developed by python's web framework django. Data migration must be performed first to generate library table information before the program can be run.

7.1 View jumpserver database

[root@jumpserver jumpserver]# mysql -u root -p
Enter password: 

mysql> show databases;   #查看数据库
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.01 sec)
mysql> use jumpserver    #进入到jumpserver这库中
Database changed
mysql> show tables;      #查看库中的表
Empty set (0.00 sec)     #还未导入，库中无表

7.2 Data Migration

Be sure to enter the python virtual environment first! ! !

source /usr/local/jmp_venvl/bin/activate
cd /opt/jumpserver/apps
python3 /opt/jumpserver/apps/manage.py makemigrations  #显示浅蓝色字体表示成功
python3 /opt/jumpserver/apps/manage.py migrate         #显示多张表导入成功并有OK字样

deactivate

Please add --fake attribute for error reporting, python manage.py migrate --fake

If the data table returns OK and displays faked, it means the migration failed. Please check the mysql startup status, systemctl status mysqld, and make sure that mysqld is running.

7.3 View the jumpserver database again

Data migration succeeded

(jmp_venvl) [root@jumpserver /]# mysql -u root -p
Enter password: 

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.12 sec)

mysql> use jumpserver;
Database changed

mysql> show tables;
+----------------------------------------------+
| Tables_in_jumpserver                         |
+----------------------------------------------+
| applications_databaseapp                     |
| applications_remoteapp                       |
| assets_adminuser                             |
| assets_asset                                 |
| assets_asset_labels                          |
...

8. Start the jumpserver service

cd /opt/jumpserver
/opt/jumpserver/jms start -d  #-d表示后台运行 start|stop|restart|status

Verify the jumpserver initialization page

192.168.136.65:8080

9. Deploy koko components

The koko component implements the components of SSH Server and Web Terminal Server, improves SSH and WebSocket interfaces, and uses Paramiko and Flask to develop, allowing us to type commands on the web page online like xshell. It is developed by the golang programming language. Compared with the previous coco components (written in py), the performance is higher.

cd /opt
wget https://github.com/jumpserver/koko/releases/download/v2.1.0/koko-v2.1.0-linux-amd64.tar.gz
tar -zxvf koko-v2.1.0-linux-amd64.tar.gz
cd koko-v2.1.0-linux-amd64/
cp config_example.yml config.yml
vim config.yml

##填入获取的BOOTSTRAP_TOKEN，将redis的注释删掉###

[root@jumpserver koko-v2.1.0-linux-amd64]# egrep -v "^#|^$" config.yml
CORE_HOST: http://127.0.0.1:8080
BOOTSTRAP_TOKEN: 1iTfoBKVFv13PtSg
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD:
REDIS_CLUSTERS:
REDIS_DB_ROOM:

./koko -d  #启动koko服务

10. Deploy the guacamole component

The Apache springboard project, Jumpserver uses other components to implement the RDP function. Jumpserver does not modify other codes but adds additional plug-ins to support Jumpserver calls. (RDP here is the remote desktop protocol, and the background server can be operated through the browser)

Official website download link: Apache Guacamole™: 1.2.0

10.1 Download guacamole-server and ssh-forward

cd /opt
wget -O docker-guacamole-v2.1.1.tar.gz https://github.com/jumpserver/docker-guacamole/archive/master.tar.gz
tar -xf docker-guacamole-v2.1.1.tar.gz

#解压后目录名为docker-guacamole-master，目录下有三个文件#
[root@jumpserver opt]# ls /opt/docker-guacamole-master/
Dockerfile    guacamole.properties     etc     

cd /opt/docker-guacamole-master/
wget http://download.jumpserver.org/public/guacamole-server-1.2.0.tar.gz  #下载guacamole-server
tar -zxvf guacamole-server-1.2.0.tar.gz

wget http://download.jumpserver.org/public/ssh-forward.tar.gz--2020-08-09 14:33:54--  http://download.jumpserver.org/public/ssh-forward.tar.gz  #下载ssh-forward
tar -zxvf ssh-forward.tar.gz 

cd /opt/docker-guacamole-master/guacamole-server-1.2.0  #进入源码包

yum -y install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel libtool uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaydio-libs-devel openssl-devel libvorbis-devel libwebp-devel  #安装依赖

10.2 Install ffmpeg tools

The ffmpeg tool is used to process media files

yum -y install epel-release 

rpm -v --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm

yum -y install ffmpeg ffmpeg-devell

10.3 Compile and install guacamole

cd /opt/docker-guacamole-master/guacamole-server-1.2.0  #进入源码包
./configure --with-init-dir=/etc/init.d  #编译
make && make install  #编译安装

10.4 Install java environment

yum -y install java-1.8.0-openjdk

cd /opt
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.74/bin/apache-tomcat-9.0.74.tar.gz
tar -xf apache-tomcat-9.0.74.tar.gz
mv apache-tomcat-9.0.74 tomcat9
rm -rf /opt/tomcat9/webapps/*

cd /opt/docker-guacamole-master/
wget http://download.jumpserver.org/release/v2.1.1/guacamole-client-v2.1.1.tar.gz  #guacamole-clent里有一个war包和jar包
tar -xf guacamole-client-v2.1.1.tar.gz

##更改tomcat配置文件###
sed -i 's/Connector port="8080"/Connector port="8081"/g' /opt/tomcat9/conf/server.xml
echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /opt/tomcat9/conf/logging.properties

###3个软链接###
ln -sf /opt/docker-guacamole-master/guacamole-client-v2.1.1/guacamole-1.0.0.war /opt/tomcat9/webapps/ROOT.war
ln -sf /opt/docker-guacamole-master/guacamole-client-v2.1.1/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
ln -sf /opt/docker-guacamole-master/guacamole.properties /config/guacamole/guacamole.properties

10.5 Setting up the guacamole environment

./bashrc is an environment variable configuration file similar to profile. Use ls --all in the /root directory to view it, which is hidden by default.

export JUMPSERVER_SERVER=http://127.0.0.1:8080    
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
export BOOTSTRAP_TOKEN=Ovn181zT7q7a8Die
echo "export B00TSTRAP_TOKEN=Ovn181zT7q7a8Die" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
export GUACAMOLE_LOG_LEVEL=ERROR
echo "export GUACAMOLE_LOG_LEVEL=ERROR" >> ~/.bashrc
export JUMPSERVER_ENABLE_DRIVE=true
echo "export JUMPSERVER_ENABLE_DRIVE=true" >> ~/.bashrc

Parameter meaning:

JUMPSERVER_SERVER refers to the address accessed by the core

BOOTSTARAP_TOKEN must be changed to your own, if you forget it, go to config.yml under jumpserver to find it

JUMPSERVER_KEY_DIR Key storage directory after successful authentication

GUACAMOLE_HOME is the directory where the guacamole.properties configuration file is located

GUACAMOLE_LOG_LEVEL is the log level generated

JUMPSERVER_ENABLE_DRIVE mount shared disk for rdp protocol

10.6 Start tomcat and guacamole

/etc/init.d/guacd start  #启动服务
/opt/tomcat9/bin/startup.sh  #启动tomcat

Eleven, lina/luna module

Lina belongs to the front-end module and is responsible for the display of the page. Luna is now the front-end of the web terminal, and the front-end page of the plan is provided by this project. jumpserver only provides api, and is no longer responsible for rendering html in the background. It can be combined with lina to realize the terminal of the command line interface on the webpage.

11.1 Create a new Linux user nginx

useradd -M -s /sbin/nologin nginx

11.2 install lina/luna

cd /opt
wget https://github.com/jumpserver/lina/releases/download/v2.1.0/lina-v2.1.0.tar.gz
wget https://github.com/jumpserver/luna/releases/download/v2.1.1/luna-v2.1.1.tar.gz
tar -zxvf lina-v2.1.0.tar.gz
tar -zxvf luna-v2.1.1.tar.gz
mv lina-v2.1.0 lina
mv luna-v2.1.1 luna
chown -R nginx:nginx lina  #改变他的属主属组，让他归nginx管理
chown -R nginx:nginx luna  #改变他的属主属组，让他归nginx管理

12. Compile and install nginx, nginx-module-vts

12.1 download nginx

cd /opt
wget http://nginx.org/download/nginx-1.22.0.tar.gz
tar -zxvf nginx-1.22.0.tar.gz
wget https://gitcode.net/mirrors/vozlt/nginx-module-vts/-/archive/master/nginx-module-vts-master.zip  #可能会报错，但链接是没问题的，需要去windows主机下载然后传到/opt目录下
unzip nginx-module-vts-master.zip

yum -y install gcc gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel make

cd /opt/nginx-1.22.0/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --add-module=/opt/nginx-module-vts-master/
make && make install

nginx -V  #查看nginx安装信息
nginx -t  #测试ngixn,返回nginx状态,带有successful为成功

11.2 Change nginx.conf

vim /usr/local/nginx/conf/nginx.conf

Just copy directly, no need to change, please use vim paste mode, :set paste if the paste format is wrong.

#user  nobody;
worker_processes  1;
 
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
 
#pid        logs/nginx.pid;
 
 
events {
    worker_connections  1024;
}
 
 
http {
    include       mime.types;
    default_type  application/octet-stream;
    vhost_traffic_status_zone;                  #流量状态监控
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
 
    #access_log  logs/access.log  main;
log_format main '{ "@timestamp": "$time_local", '
'"@fields": { '
'"uri":"$request_uri",'
'"url":"$uri",'
'"upstream_addr":"$upstream_addr",'
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"host":"$host",'
'"server_addr":"$server_addr",'
'"request_time": "$request_time", '
'"request_time":"$request_time",'
'"status":"$status",'
'"request": "$request", '
'"request_method": "$request_method", '
'"size":$body_bytes_sent,'
'"upstream_time":"$upstream_response_time"'
'"http_referrer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" } }';
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
 
    #gzip  on;
 
    server {
        listen       80;
        server_name  localhost;
 
        #charset koi8-r;
 
        #access_log  logs/host.access.log  main;
 
        location / {
            root   html;
            index  index.html index.htm;
        }
        location /status {
            vhost_traffic_status_display;
            vhost_traffic_status_display_format html;
        }
        #error_page  404              /404.html;
 
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
 
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}
 
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}
 
        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
 
 
    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;
 
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
 
 
    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;
 
    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;
 
    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;
 
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;
 
    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
 
}

ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
cd /usr/local/sbin/
./nginx   #开启服务

11.3 Verifying nginx

192.168.136.65

192.168.136.65/status

11.4 Explanation of monitoring list

The information of the monitoring list
Server main Main server
**Host: **host name
**Version: **version number
**Uptime:**server running time
Connections active: current number of client connections reading: read client connections Total writing: the total number of client connections written
Requsts accepted: the total number of client connections handled: the total number of client connections handled Total: the total number of requests Req/s: the number of requests per second
Shared memory: shared memory name: specified in the configuration shared memory name maxSize: the maximum limit of the shared memory specified in the configuration usedSize: the current size of the shared memory usedNode: the number of nodes currently used in the shared memory Server zones server zone zone: the current zone
Requests
Total
: the total number of requests Req/s: per second Number of requests time: Time
Responses: Number of status codes 1xx, 2xx, 3xx, 4xx, 5xx: Indicates the number of different status codes in response Total: The total number of response status codes
Traffic indicates traffic Sent: Sent traffic Rcvd: Received traffic Sent/s: Traffic sent per second Rcvd/s: Traffic received per second
Cache indicates cache Miss: Number of missed caches Bypass: Number of avoided caches Expirde: Number of expired caches Stale: Number of valid caches Updating: Number of cache updates Revalidated : Revalidated cache book Hit: Number of cache hits Scarce: Number of requests that failed to meet cache requirements Total: Total

12. Change the nginx configuration again

vim /usr/local/nginx/conf/nginx.conf

In fact, only the server part was changed . For the convenience of copying, I copied the entire file. If the paste format is wrong, please use vim paste mode, :set paste.

worker_processes  1;

events {
    worker_connections  1024;
}
 

http {
    include       mime.types;
    default_type  application/octet-stream;
    vhost_traffic_status_zone;                  #流量状态监控
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
 
    #access_log  logs/access.log  main;
log_format main '{ "@timestamp": "$time_local", '
'"@fields": { '
'"uri":"$request_uri",'
'"url":"$uri",'
'"upstream_addr":"$upstream_addr",'
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"host":"$host",'
'"server_addr":"$server_addr",'
'"request_time": "$request_time", '
'"request_time":"$request_time",'
'"status":"$status",'
'"request": "$request", '
'"request_method": "$request_method", '
'"size":$body_bytes_sent,'
'"upstream_time":"$upstream_response_time"'
'"http_referrer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" } }';
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
 
    #gzip  on;
    server {
        listen       80;
        client_max_body_size 100m; #录像和文件上传大小限制
        #charset koi8-r;
 
        #access_log  logs/host.access.log  main;
 
        location /ui/ {
            try_files $uri / /index.html;
            alias /opt/lina/;
        }
        location /status {
            vhost_traffic_status_display;
            vhost_traffic_status_display_format html;
        }
        location /luna/ {
            try_files $uri / /index.html;
            alias /opt/luna/;   #luna路径，如果修改安装目录，此处需要修改
        }
        location /media/ {    #静态文件处理
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/; #录像位置，如果修改安装目录，此处需要修改
 
        }
        location /static/ {
        root /opt/jumpserver/data/;
        }
        location /koko/ {  #当我们请求koko，他会通过proxy_pass进行反向代理
        proxy_pass http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
        }
        location /guacamole/{
        proxy_pass http://localhost:8081/ ;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;
        }
        location /ws/{
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        location /api/{
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location /core/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        location / {
        rewrite ^/(.*)$ /ui/$1 last;
        }
 
} 
}

restart nginx

cd /usr/local/sbin/nginx
./nginx

If the following error occurs after restarting nginx

nginx: [emerg] "server" directive is not allowed here in /usr/local/nginx/conf/nginx.conf:1

Check the format, usually one missing or one more parenthesis.

Thirteen, access jumpserver

192.168.136.65

At this time, it is no longer port 8080, but port 80. Because it is proxied by nginx, the default username and password are both admin .

14. Problem Summary

14.1 pip package path

[root@jumpserver wheels]# cd /opt/py3/lib/python3.6/site-packages

'pidfile' has no attribute 'TimeoutPIDLockFile' The pidfile module does not have the TimeoutPIDLockFile attribute. This error will occur when I install another tutorial, which cannot be solved. Restart a virtual machine, and follow my tutorial in this article. This problem will not occur.

14.2 nginx occupation and restart

nginx: [emerg] still could not bind() error indicating that port 80 is occupied

View port usage

netstat -anp | grip 80

It is useless to kill the process with kill -9 , nginx: worker or nginx: master has been automatically restarted and occupies port 80

###解决方法###
cd /usr/local/sbin/nginx
pkill nginx
./nginx

14.3 mysql import data error

python3 /opt/jumpserver/apps/manage.py makemigrations reports an error

python3 /opt/jumpserver/apps/manage.py migrate

mysql database password pure number error

###解决方法###
改密码解决方法，提前避免改为问题，密码需要有英文字母和数字组合。
如果你前面mysql密码设置的跟我一样不会出现该问题。

(jum_venel) [root@jumpserver apps]# mysqladmin -ujumpserver -p password
Enter password: 
New password: 
Confirm new password:

14.4 pip3 install virtualenv error

The openssl tool is missing, and python3 needs to be uninstalled and recompiled

###解决方法###
rm -rf /usr/local/python3.6/  #卸载原先的python3.6
yum install openssl openssl-devel -y
cd /etc/python
./configure --prefix=/usr/local/python3.6
 make -j3 && make install

14.5 Start jumpserver after restarting the host

Since jms and nginx are not set to start automatically after booting, it is necessary to start manually when booting without eating

###解决方法###
source /usr/local/jmp_venvl/bin/activate
/opt/jumpserver/jms start -d
./usr/local/sbin/nginx

15. Reference Links

Manual deployment of jumpserver bastion machine (complete process + common errors)_IT.cat's Blog-CSDN Blog

Nginx compilation and installation + monitoring module Nginx-module-vts_IT.cat's blog - CSDN blog

Linux operation documentation - deployment and use of jumpserver platform system

Linux deployment jumpserver bastion machine and problem summary

1. Introduction to jumpserver bastion machine

1.1 Why do you need to use a bastion host?