Recommended test environment

CPU: 64 bit dual-core processor,
Memory: 4G DDR3
Database: mysql version 5.6 mariadb or greater than or equal to version 5.5.6

surroundings

System: CentOS 7
IP: 192.168.244.144
Selinux and set up a firewall

$ firewall-cmd --zone=public --add-port=80/tcp --permanent  # nginx 端口
Firewall---zone cmd = $ --add public-Port = 2222 / tcp --permanent   # SSH user login port coco
 Firewall-cmd --reload $ # reload the setenforce 0 $ rule Sed -i $ "S / = enforcing the SELINUX / the SELINUX = Disabled / G " / etc / SELinux / config

A. Prepare Python3 and Python virtual environment

1.1 installation dependencies

$ yum -y install wget gcc epel-release git

1.2 Installation Python3.6

$ yum -y install python36 python36-devel

# If the download speed is very slow, it can change the domestic source
$ wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
$ yum -y install python36 python36-devel

Python 1.3 to establish a virtual environment

Because CentOS 7 comes with a Python2, while Yum and other tools rely on the original Python, in order not to disturb the original environment we use Python virtual environment

$ cd /opt
$ python3.6 -m venv py3
$ source /opt/py3/bin/activate

# See the following prompt on behalf of success, they have to run after run Jumpserver source command above, all of the following commands are run in the virtual environment
(py3) [root@localhost py3]

II. Installation Jumpserver

2.1 download or Clone project

When the project submitted more git clone larger, you can choose to go directly to Github project page to download the zip package.

$ cd /opt/
$ git clone --depth=1 https://github.com/jumpserver/jumpserver.git

2.2 RPM package install dependencies

$ cd /opt/jumpserver/requirements
Yum -y install $ $ (CAT rpm_requirements.txt ) # If there is no error, please continue

2.3 Installation library dependency Python

$ pip install --upgrade pip setuptools
$ pip install -r requirements.txt

# If the download speed is very slow, it can change the domestic source
$ pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
$ pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

2.4 Installation Redis, Jumpserver make use Redis cache and celery broke

$ yum -y install redis
$ systemctl enable redis
$ systemctl start redis

2.5 Installing MySQL

This tutorial uses Mysql as the database, if not used Mysql Mysql skips can install and configure

$ yum -y install mariadb mariadb-devel mariadb-server mariadb-shared # centos7下安装的是mariadb
$ systemctl enable mariadb
$ systemctl start mariadb

2.6 Creating a database and authorize Jumpserver

DB_PASSWORD = $ `CAT / dev / urandom | TR -dc A-Za-Z0-9 | 24-head -c ` # generate a random password database $ echo -e "\ 033 [31M Your password database is $ DB_PASSWORD \ 033 [ 0m "$ MySQL-uroot--e " jumpserver the Create Database default charset 'utf8'; Grant * All ON jumpserver to 'jumpserver'@'127.0.0.1' IDENTIFIED by '. $ DB_PASSWORD'; flush privileges; "

2.7 Jumpserver modify configuration files

$ cd /opt/jumpserver
$ Cp config_example.yml config.yml

$ SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` # 生成随机SECRET_KEY $ echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc $ BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` # 生成随机BOOTSTRAP_TOKEN $ echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc $ sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml $ sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml $ sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml $ sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml $ sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml $ sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml $ echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m" $ echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m" $ vi config.yml # 确认内容有没有错误

The WARNING SECURITY #: the Keep at The Secret Key Used in Production's Secret!
 # Encryption keys modify the production environment is a random string, do not leak, PS: pure digital not SECRET_KEY:

The WARNING SECURITY #: the Keep at The Bootstrap token Used in Production's Secret! # Pre-shared Token coco and guacamole to register service account is not using the original registration accepted mechanism BOOTSTRAP_TOKEN: # Development env Open the this, the when error Occur Run the display at The Full Track Process, Production disable it after # DEBUG mode is enabled DEBUG can be seen when an error is encountered more log DEBUG: false # DEBUG, INFO, the WARNING, eRROR, CRITICAL the SET cAN see https://docs.djangoproject.com/en/1.10/. Topics / logging / # log level , LOG_LEVEL,: ERROR # LOG_DIR: # Session expiration setting, the default 24-hour, also the sET expired the ON ON browser use Close # browser Session expiration time, default 24 hours, you can also set your browser to turn off the expired # SESSION_COOKIE_AGE : 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE is: to trueDatabase Setting #, Support sqlite3, MySQL, Postgres .... # database settings # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite Setting: # sqlite database using a single file # DB_ENGINE: sqlite3 # DB_NAME: # MySQL or Postgres Setting like: # using Mysql as database DB_ENGINE: MySQL DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: DB_NAME: jumpserver # Django Start the When the bind the this IT by Will Host and Port #. /manage.py runserver 127.0.0.1:8080 binding # runtime port HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080# Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 # REDIS_PASSWORD: # REDIS_DB_CELERY: 3 # REDIS_DB_CACHE: 4 # Use OpenID authorization # 使用OpenID 来进行认证设置 # BASE_SITE_URL: http://localhost:8080 # AUTH_OPENID: false # True or False # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ # AUTH_OPENID_REALM_NAME: realm-name # AUTH_OPENID_CLIENT_ID: client-id # AUTH_OPENID_CLIENT_SECRET: client-secret # OTP settings # OTP/MFA 配置 # OTP_VALID_WINDOW: 0 # OTP_ISSUER_NAME: Jumpserver

2.8 running Jumpserver

$ cd /opt/jumpserver
./Jms start all -d $   # run in the background using the -d parameter ./jms start all -d

# The new version updates the running script, use ./jms start | stop | status all running in the background add the -d parameter

Do not run error, please continue down

Three install SSH Server and WebSocket Server: Coco

3.1 download or Clone project

$ cd /opt
$ source /opt/py3/bin/activate
$ git clone --depth=1 https://github.com/jumpserver/coco.git

3.2 Installation depends

$ cd /opt/coco/requirements
$ yum -y install $(cat rpm_requirements.txt)
$ pip install -r requirements.txt

# If the download speed is very slow, you can change the domestic source $ pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

3.3 modify the configuration file and run

$ cd /opt/coco
$ Cp config_example.yml config.yml

$ sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
$ sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml $ vi config.yml

# Project name, will be used to register with the Jumpserver, identify it, can not be repeated
 # NAME: {{Hostname}}

Url # Jumpserver projects, api request to register will be used CORE_HOST: http://127.0.0.1:8080 # Bootstrap Token, a pre-shared key is used to register the service account and use coco Terminal # Please be consistent and jumpserver profile after registration is complete you can delete BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver> bound to start when the # ip, default 0.0.0.0 # BIND_HOST: 0.0.0.0 # listens SSH port number, default 2222 # SSHD_PORT: 2222 # listening HTTP / WS port number the default 5000 # HTTPD_PORT: 5000 # projects using the ACCESS KEY, the default will be registered and saved to ACCESS_KEY_STORE, the # if there is a demand, you can write to the configuration file, the format access_key_id: access_key_secret # ACCESS_KEY: null # ACCESS KEY saved address after registering the default saved to the file # ACCESS_KEY_STORE: the Data / keys / .access_key # encryption key # SECRET_KEY: null# Set the log level [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL] , LOG_LEVEL,: ERROR Catalog # log stored # LOG_DIR: logs # SSH whitelist # ALLOW_SSH_USER: All # SSH black list, white list if users simultaneously and in black list, blacklist given preference # BLOCK_SSH_USER: # - # Jumpserver and maintaining the heartbeat interval # HEARTBEAT_INTERVAL: 5 # Admin's name, the problem will be presented to the user # ADMINS: '' # SSH connection timeout (default 15 seconds the) # SSH_TIMEOUT : 15 # language [EN, zh] # LANGUAGE_CODE: zh # SFTP root directory, optional / tmp, Home other custom directory # SFTP_ROOT: / tmp # SFTP whether to show hidden files # SFTP_SHOW_HIDDEN_FILE: false # whether multiplexing and users connected to the back-end assets established (users will not reuse other connections) # REUSE_CONNECTION: to true

./Cocod start -d $   # run in the background using the -d parameter ./cocod start -d

# The new version updates the running script, use ./cocod start | stop | status running in the background, add -d parameter

Four front-end Web Terminal installation: Luna

Luna has been changed to pure front-end, we need to run Nginx access

Access ( https://github.com/jumpserver/luna/releases ) download the corresponding version of the release package, the compiler does not need to directly extract

4.1 decompression Luna

$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.5.0/luna.tar.gz

# If a network problem can not be completed if the download can use the following address
$ wget https://demo.jumpserver.org/download/luna/1.5.0/luna.tar.gz

$ Tar xf luna.tar.gz
$ chown -R root:root luna

V. installing Windows support components (if no asset management windows, you can skip this step)

5.1 Installation depends

$ rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
$ rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
$ yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

$ yum install -y java-1.8.0-openjdk libtool
$ yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
$ yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript

5.2 compile and install guacamole Service

$ cd /opt
$ git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole/
$ tar -xf guacamole-server-1.0.0.tar.gz
$ cd guacamole-server-1.0.0
$ Autoreconf-Fi
$ ./configure --with-init-dir=/etc/init.d --with-systemd-dir=/usr/lib/systemd/system/
$ make && make install
$ ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
$ cd .. $ rm -rf guacamole-server-1.0.0 $ ldconfig

5.3 Configuring Tomcat

$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions  # 创建 guacamole 目录
$ Ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar
LN -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties $   # guacamole profile

$ cd /config
$ wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.21/bin/apache-tomcat-9.0.21.tar.gz $ Tar xf apache-tomcat-9.0.21.tar.gz
$ rm -rf apache-tomcat-9.0.21.tar.gz
$ mv apache-tomcat-9.0.21 tomcat9 RM -rf $ / config / tomcat9 / the webapps / * $ -SF5 /opt/docker-guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war LN # guacamole Client $ -i Sed 'S / = port Connector "8080" / Connector port = "8081" / G '/config/tomcat9/conf/server.xml # modify the default port Sed -i $ 8081 ' S / the FINE / the WARNING / G '/ config / tomcat9 / conf / the logging.properties # modify the log level is $ the WARNING cd / config $ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz # If your network has can lead to problems can not be downloaded using the following address $ wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz $ tar xf linux- amd64.tar.gz completed -C / bin / $ chmod + x / bin / ssh-forward

5.4 Configuration Environment Variables

# Do not repeatedly perform the following environmental settings
$ Export JUMPSERVER_SERVER = HTTP: //127.0.0.1: 8080   # http://127.0.0.1:8080 refers jumpserver access address
$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc # BOOTSTRAP_TOKEN 为 Jumpserver/config.yml 里面的 BOOTSTRAP_TOKEN $ export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN $ echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc $ export JUMPSERVER_KEY_DIR=/config/guacamole/keys $ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc $ export GUACAMOLE_HOME=/config/guacamole $ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc

5.5 start Guacamole

$ systemctl start guacd
$ sh /config/tomcat9/bin/startup.sh

VI. Configuring Nginx integration of the components

6.1 Installing Nginx

$ yum install yum-utils
$ We /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl = http: //nginx.org/packages/centos/ $ releasever / $ basearch /
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key

$ yum makecache fast
$ yum install -y nginx
$ rm -rf /etc/nginx/conf.d/default.conf
$ systemctl enable nginx

6.3 Preparation configuration file to modify /etc/nginx/conf.d/jumpserver.conf

$ We /etc/nginx/conf.d/jumpserver.conf

{Server
     the listen 80; # proxy port, later access through this port, no longer by 8080 # server_name demo.jumpserver.org; # revise your domain name or comment out client_max_body_size 100m; # video and file upload size limit location / Luna / { try_files $ URI / /index.html; Alias / opt / Luna /; # Luna path, if you modify the installation directory, where the need to modify} LOCATION / Media / { the add_header the Content-Encoding the gzip; the root / opt / jumpserver / Data /; # video position, if the modified installation directory, where the need to modify} lOCATION / static / { the root / opt / jumpserver / Data /; # static resource if you modify the installation directory, where the need to modify} lOCATION / Socket. IO / { proxy_pass HTTP: // localhost: 5000 / Socket.IO /;# If the coco installed on other servers, please fill out its ip proxy_buffering OFF; proxy_http_version 1.1; proxy_set_header Upgrade $ http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header the X-Real-IP- $ REMOTE_ADDR; proxy_set_header Host $ Host; proxy_set_header-the X-Forwarded- the For $ proxy_add_x_forwarded_for; access_log OFF;} LOCATION / coco / { proxy_pass HTTP: // localhost: 5000 / coco /; # if coco installed on other servers, please fill out its ip proxy_set_header the X-Real-IP- $ REMOTE_ADDR; proxy_set_header Host Host $; proxy_set_header-the X-Forwarded-the Forproxy_add_x_forwarded_for $; access_log OFF;} LOCATION / guacamole / { proxy_pass HTTP: // localhost: 8081 /; # If guacamole installed on other servers, please fill out its ip proxy_buffering OFF; proxy_http_version 1.1; proxy_set_header Upgrade $ http_upgrade; proxy_set_header Connection $ HTTP_CONNECTION; proxy_set_header the IP-X-Real- $ REMOTE_ADDR; proxy_set_header the Host $ Host; proxy_set_header the For-X-Forwarded- $ proxy_add_x_forwarded_for; access_log OFF;} LOCATION / { proxy_pass HTTP: // localhost: 8080; # jumpserver another server if installed, Please fill out its ipproxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }

6.3 running Nginx

-t nginx    # ensure that the configuration is no problem, solve a problem please

# CentOS 7
$ systemctl start nginx
$ systemctl enable nginx

6.4 started Jumpserver

Check whether the application is up and running

After all the services start, visit http://192.168.244.144 , port access proxy nginx, not to port access by 8080

Default account: admin password: admin

To Jumpserver session management - check the registration Coco Guacamole terminal management and other applications.

Test Connection

If the login client is macOS or Linux, login syntax is as follows
$ ssh -p2222 [email protected]
$ sftp -P2222 [email protected]
Password: admin

If the login client is Windows, Xshell Terminal login syntax is as follows
$ ssh [email protected] 2222
$ sftp [email protected] 2222
Password: admin
If you can log in on behalf of a successful deployment

# Sftp default upload location in the / tmp directory assets
 under # windows drag position G upload directory on Guacamole RDP assets

Step by step to build jumpserver