Recommended installation environment official website
Operating System: Centos7
CPU: 64 bit dual-core processor,
Memory: 4G DDR3
Database: mysql version 5.6 mariadb or greater than or equal to version 5.5.6
1, built environment preparation
Turn off the firewall and selinux
hostname jumpserver
bash
systemctl stop firewalld
iptables -F
setenforce 0
Modify the character set, or it may report input / output error problem because the Chinese print log
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
2, ready Python3 and Python virtual environment
Installation dependencies
yum -y install wget gcc git
rpm -ivh epel-release-latest-7.noarch.rpm
cd /etc/yum.repos.d/
mv backup/CentOS-Base.repo ./
cd
Installation Python3.6
yum -y install python36 python36-devel python-pip
Python establish a virtual environment
Because CentOS 7 comes with a Python2, while Yum and other tools rely on the original Python, in order not to disturb the original environment we use Python virtual environment
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
See the following prompt on behalf of success, you have to run after run Jumpserver source command above, all of the following commands are run in the virtual environment
(py3) [root@jumpserver opt]#
3, installation Jumpserver
Download or Clone project
cd /opt/
git clone --depth=1 https://github.com/jumpserver/jumpserver.git
RPM package install dependencies
cd /opt/jumpserver/requirements
yum -y install $(cat rpm_requirements.txt)
Installing Python library dependencies
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
Install Redis, Jumpserver make use Redis cache and celery broke
yum -y install redis
systemctl enable redis
systemctl start redis
4, Installing MySQL
It is installed by centos7 mariadb
yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb
Create a database Jumpserver and authorized to generate a random password database
DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
echo -e "\ 033 [31m Your password database is $ DB_PASSWORD \ 033 [0m"
mysql -uroot -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by '$DB_PASSWORD'; flush privileges;"
5, modify the configuration file Jumpserver
cd /opt/jumpserver
cp config_example.yml config.yml
Generating a random SECRET_KEY
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
Generating a random BOOTSTRAP_TOKEN
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
Modify the configuration file content
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
echo -e "\ 033 [31m your SECRET_KEY is $ SECRET_KEY \ 033 [0m"
echo -e "\ 033 [31m your BOOTSTRAP_TOKEN is $ BOOTSTRAP_TOKEN \ 033 [0m"
Confirm there are no errors
Cat config.yml
# SECURITY WARNING: keep the secret key used in production secret!
# Encryption keys production environment, modify the random string, do not leak
SECRET_KEY:
# SECURITY WARNING: keep the bootstrap token used in production secret!
# Pre-shared Token coco and guacamole to register service account is not using the original registration accepted mechanism
BOOTSTRAP_TOKEN:
# Development env open this, when error occur display the full process track, Production disable it
# DEBUG mode is turned on DEBUG after the log can see more when it encounters an error
DEBUG: false
# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# Log Level
LOG_LEVEL: ERROR
# LOG_DIR:
# Session expiration setting, Default 24 hour, Also set expired on on browser close
# Browser Session expiration time, the default 24- hours, and you can also set your browser to turn off the expired
# SESSION_COOKIE_AGE: 86400
SESSION_EXPIRE_AT_BROWSER_CLOSE: true
# Database setting, Support sqlite3, mysql, postgres ....
# Database settings
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases
# SQLite setting:
# Use single file sqlite database
# DB_ENGINE: sqlite3
# DB_NAME:
# MySQL or postgres setting like:
# Using Mysql as database
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD:
DB_NAME: jumpserver
# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# Bind port is running
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
# Use Redis as broker for celery and web socket
# Redis configuration
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_CELERY: 3
REDIS_DB_CACHE # 4
# Use OpenID authorization
# Using OpenID for authentication settings
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/
# AUTH_OPENID_REALM_NAME: realm-name
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# OTP settings
# OTP / MFA Configuration
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver
6, run Jumpserver
The new version updates the running script, use ./jms start | stop | status all running in the background add -d parameter
cd /opt/jumpserver
./jms start all -d
7, install SSH Server and WebSocket Server: Coco
Download or Clone project
cd /opt
source /opt/py3/bin/activate
git clone --depth=1 https://github.com/jumpserver/coco.git
Installation depends
cd /opt/coco/requirements
yum -y install $(cat rpm_requirements.txt)
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
Modify the configuration file and run
cd /opt/coco
cp config_example.yml config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: ERROR/g" /opt/coco/config.yml
View profile
Cat config.yml
# Project name, will be used to Jumpserver registration, identification only, can not be repeated
# NAME: {{ Hostname }}
Jumpserver # url projects, api request to register will be used
CORE_HOST: http://127.0.0.1:8080
# Bootstrap Token, a pre-shared key, used to register Coco Service use of the Account and the terminal
# Please jumpserver consistent configuration file, you can delete the registration is completed
BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>
# Start binding upon ip, default 0.0.0.0
# BIND_HOST: 0.0.0.0
# Listening SSH port number, default 2222
# SSHD_PORT: 2222
# Monitor the HTTP / WS port number, default 5000
# HTTPD_PORT: 5000
# Project using the ACCESS KEY, the default will be registered and saved to ACCESS_KEY_STORE in
# If there is a demand, you can write to the configuration file, the format access_key_id: access_key_secret
# ACCESS_KEY: null
# ACCESS KEY saved address, the default registration will be saved to the file
# ACCESS_KEY_STORE: data/keys/.access_key
# Encryption key
# SECRET_KEY: null
# Set the log level [DEBUG, INFO, WARN, ERROR , FATAL, CRITICAL]
LOG_LEVEL: ERROR
# Log storage directory
# LOG_DIR: logs
# SSH whitelist
# ALLOW_SSH_USER: all
# SSH blacklist, if a user in the whitelist and blacklist given preference blacklist
# BLOCK_SSH_USER:
# -
# And Jumpserver maintaining heartbeat interval
# HEARTBEAT_INTERVAL: 5
# Admin 's name, the problem will be presented to the user
# ADMINS: ''
# SSH connection timeout (default 15 seconds)
# SSH_TIMEOUT: 15
# Language [en, zh]
# LANGUAGE_CODE: zh
# SFTP root directory, optional / tmp, Home other custom directory
# SFTP_ROOT: /tmp
# SFTP whether to show hidden files
# SFTP_SHOW_HIDDEN_FILE: false
The new version updates the running script, use ./cocod start | stop | status running in the background, add -d parameter
./cocod start -d
7, install the front-end Web Terminal: Luna
Luna has been changed to pure front-end, we need to run Nginx access
Access (https://github.com/jumpserver/luna/releases) download the corresponding version of the release package, the compiler does not need to directly extract
cd /opt
wget https://demo.jumpserver.org/download/luna/1.4.9/luna.tar.gz
tar xf luna.tar.gz
chown -R root:root luna
8, install Windows support components
Installation depends
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
yum install -y java-1.8.0-openjdk libtool
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript uuid-devel
ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp
Compile and install guacamole service (this package more difficult to download)
cd /opt
git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git
cd /opt/docker-guacamole/
tar -xf guacamole-server-1.0.0.tar.gz
cd guacamole-server-1.0.0
autoreconf-Fi
./configure --with-init-dir=/etc/init.d
make && make install
cd ..
rm -rf guacamole-server-1.0.0
ldconfig
Configuring Tomcat
Create a directory guacamole
mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions
ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
guacamole profile
ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
Upload tomcat and deploy
cd /config
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.16.tar.gz
tar xf apache-tomcat-8.5.16.tar.gz
rm -rf apache-tomcat-8.5.16.tar.gz
mv apache-tomcat-8.5.16 /config/tomcat8
rm -rf /config/tomcat8/webapps/*
guacamole client
ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war
Modify the default port 8081
sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat8/conf/server.xml
Modify the log level to WARNING
sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties
cd /config
wget https://demo.jumpserver.org/download/ssh-forward/v0.0.5/linux-amd64.tar.gz
tar xf linux-amd64.tar.gz -C /bin/
chmod +x /bin/ssh-forward
Configuration environment variable
Do not repeatedly perform the following environment settings, http: //127.0.0.1: 8080 refers to jumpserver access address
export JUMPSERVER_SERVER=http://127.0.0.1:8080
echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc
BOOTSTRAP_TOKEN is Jumpserver / config.yml inside BOOTSTRAP_TOKEN
export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
Start Guacamole
/etc/init.d/guacd start
sh /config/tomcat8/bin/startup.sh
9, configure Nginx integration of the components
Install Nginx
yum -y install yum-utils
rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum makecache fast
yum install -y nginx
rm -rf /etc/nginx/conf.d/default.conf
systemctl enable nginx
Ready to modify configuration files /etc/nginx/conf.d/jumpserver.conf
vim /etc/nginx/conf.d/jumpserver.conf
server {
# Proxy port, later access through this port, no longer by 8080 port
listen 80;
# Revise your domain name or comment out
# server_name demo.jumpserver.org;
# Video and file upload size limit
client_max_body_size 100m;
location /luna/ {
try_files $uri / /index.html;
# Luna path, if you modify the installation directory, where you need to modify
alias / opt / month /;
}
location /media/ {
add_header Content-Encoding gzip;
# Recording position, if you modify the installation directory, where you need to modify
root /opt/jumpserver/data/;
}
location /static/ {
# Static resources, if you modify the installation directory, where you need to modify
root /opt/jumpserver/data/;
}
location /socket.io/ {
# If the coco installed on other servers, please fill out its ip
proxy_pass http://localhost:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
rental / coconut / {
# If the coco installed on other servers, please fill out its ip
proxy_pass http://localhost:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
# If the guacamole installed on other servers, please fill out its ip
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
# If jumpserver installed on other servers, please fill out its ip
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Running Nginx
nginx -t
systemctl start nginx
systemctl enable nginx
10, started Jumpserver
Browser access http://192.168.200.111, default account: admin password: admin
To Jumpserver session management - registration applications such as terminal management checks Coco Guacamole
11, test the connection
1, if the client is macOS login or Linux, login syntax is as follows
ssh -p2222 admin@IP
sftp -P2222 admin@IP
Password: admin
2, if the login client is Windows, Xshell Terminal login syntax is as follows
$ ssh admin@IP 2222
$ sftp admin@IP 2222
Password: admin
[root@localhost ~]# ssh -p2222 [email protected]
The authenticity of host '[192.168.200.111]:2222 ([192.168.200.111]:2222)' can't be established.
RSA key fingerprint is SHA256:nFzD9nQeSYjrS2n20ZvglhauaiWuRUPU7tWyVDeRNE4.
RSA key fingerprint is MD5:2f:72:d6:94:c6:d0:f1:90:9e:df:68:99:67:48:26:13.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.200.111]:2222' (RSA) to the list of known hosts.
[email protected]'s password:
Administrator, Welcome Jumpserver open source system springboard
1) Enter the ID log in directly or enter part of IP, host name, notes search login ( if single).
2) Input / + IP, host name or notes search , such as: / ip
3) Input p show you have permission of the host.
4) Enter g display nodes that you have permission.
5) Enter + G ID node under the node host display. As: g1
6) Enter s in / English switching.
7) Enter h for help.
8) Enter r to refresh the latest machines and node information.
0) Enter q to quit.
Opt>
If you can log in on behalf of a successful deployment
# Sftp default upload location in the / tmp directory assets
Under # windows drag position G upload directory on Guacamole RDP assets