參照官方文檔:https://jumpserver.readthedocs.io/zh/master/setup_by_prod.html#id4
組件說明
- Jumpserver 爲管理後臺, 管理員可以通過 Web 頁面進行資產管理、用戶管理、資產授權等操作, 用戶可以通過 Web 頁面進行資產登錄, 文件管理等操作
- koko 爲 SSH Server 和 Web Terminal Server 。用戶可以使用自己的賬戶通過 SSH 或者 Web Terminal 訪問 SSH 協議和 Telnet 協議資產
- Luna 爲 Web Terminal Server 前端頁面, 用戶使用 Web Terminal 方式登錄所需要的組件
- Guacamole 爲 RDP 協議和 VNC 協議資產組件, 用戶可以通過 Web Terminal 來連接 RDP 協議和 VNC 協議資產 (暫時只能通過 Web Terminal 來訪問)
端口說明
- Jumpserver 默認 Web 端口爲 8080/tcp, 默認 WS 端口爲 8070/tcp, 配置文件 jumpserver/config.yml
- koko 默認 SSH 端口爲 2222/tcp, 默認 Web Terminal 端口爲 5000/tcp 配置文件在 koko/config.yml
- Guacamole 默認端口爲 8081/tcp, 配置文件 /config/tomcat9/conf/server.xml
- Nginx 默認端口爲 80/tcp
- Redis 默認端口爲 6379/tcp
- Mysql 默認端口爲 3306/tcp
| Protocol | Server name | Port |
|---|---|---|
| TCP | Jumpserver | 8070, 8080 |
| TCP | koko | 2222, 5000 |
| TCP | Guacamole | 8081 |
| TCP | Db | 3306 |
| TCP | Redis | 6379 |
| TCP | Nginx | 80 |
環境
https://jumpserver.readthedocs.io/zh/master/distributed_01.html
我實驗環境配置:
數據庫、redis、錄像、nginx :192.168.227.96
Jumpserver、koko、Guacamol:
192.168.227.97-98
- 系統: CentOS 7
- 數據庫 IP: 192.168.227.96
- Redis ip: 192.168.227.96
- Jumpserver IP: 192.168.227.97 192.168.227.98
- koko IP: 192.168.227.97 192.168.227.98
- Guacamole IP: 192.168.227.97 192.168.227.98
- Tengine 代理 IP: 192.168.227.97 192.168.227.98
| Protocol | Server name | Port | Used By |
|---|---|---|---|
| TCP | Jumpserver | 8070, 8080 | Nginx, koko, Guacamole |
| TCP | koko | 2222, 5000 | Tengine |
| TCP | Guacamole | 8081 | Tengine |
| TCP | Db | 3306 | Jumpserver |
| TCP | Redis | 6379 | Jumpserver |
| TCP | Tengine | 80, 2222 | All User |
Nginx 多組件注意 upstream 的負載模式, 需要解決 session 問題
安全
ssh、telnet協議 資產的防火牆設置允許 koko 與 jumpserver 訪問
rdp協議 資產的防火牆設置允許 guacamole 與jumpserver 訪問
其他
最終用戶都是通過 Tengine 反向代理訪問。 如需要做 HA 或 負載, 按照如上方式部署多個應用, 數據庫做主從, 然後在 Tengine 代理服務器用負載即可(四層)。 注意:錄像需要自己手動同步或者存放在公共目錄。
關於mysql安裝、密碼串生成參照官方文檔
數據庫、redis、錄像、nginx :192.168.227.96配置
配置nginx.conf,在下面代碼後
events {
worker_connections 1024;
}
插入代碼:
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/tcp-access.log proxy;
open_log_file_cache off;
upstream kokossh {
server 192.168.227.97:2222;
server 192.168.227.98:2222; # 多節點
# 這裏是 koko ssh 的後端ip
least_conn;
}
server {
listen 2222;
proxy_pass kokossh; #proxy_pass只支持配置在nginx.conf
proxy_protocol on;
proxy_connect_timeout 1s; # detect failure quickly
}
}
jumpserver.conf
cat /etc/nginx/conf.d/jumpserver.conf
upstream jumpserver {
server 192.168.227.97:80;
server 192.168.227.98:80;
# 這裏是 jumpserver 的後端ip
ip_hash;
}
upstream koko {
server 192.168.227.97:5000 weight=1;
server 192.168.227.98:5000 weight=1; # 多節點
# 這裏是 koko 的後端ip
ip_hash;
}
upstream ws {
server 192.168.227.97:8087 weight=1;
server 192.168.227.98:8087 weight=1; # 多節點
# 這裏是 koko 的後端ip
ip_hash;
}
upstream guacamole {
server 192.168.227.97:8081 weight=1;
server 192.168.227.98:8081 weight=1; # 多節點
# 這裏是 guacamole 的後端ip
ip_hash;
}
server {
listen 80 default_server;
server_name _;
# client_max_body_size 100m; # 錄像及文件上傳大小限制
# location /luna/ {
# try_files $uri / /index.html;
# alias /opt/luna/;
# }
# location /media/ {
# add_header Content-Encoding gzip;
# root /opt/jumpserver/data/;
# }
# location /static/ {
# root /opt/jumpserver/data/;
# }
location /koko/ {
proxy_pass http://koko;
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://ws;
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://jumpserver;
proxy_request_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nfs配置,只發布配置文件,如何安裝自己百度:
# cat /etc/exports
/opt/jumpserver/replay 192.168.227.98(rw,no_root_squash)
/opt/jumpserver/replay 192.168.227.97(rw,no_root_squash)
Jumpserver、koko、Guacamol配置(192.168.227.97-98)
我是先配置好192.168.227.97虛擬機,然後克隆修改成ip地址爲192.168.227.98
防火牆配置,我懶了點:
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.227.0/24" port protocol="tcp" port="1-65535" accept"
firewall-cmd --reload
掛載錄像目錄:
mkdir -p /opt/media/replay
echo "192.168.227.96:/opt/jumpserver/replay /opt/media/replay nfs defaults 0 0" >>/etc/fstab
mount -a
df -Th
jumpserver、koko 、Guacamole配置我使用了官方的dockerallinone.
docker安裝並配置國內源
yum install docker -y
cat /etc/docker/daemon.json
{
"registry-mirrors": [
"https://kfwkfulq.mirror.aliyuncs.com",
"https://2lqq34jg.mirror.aliyuncs.com",
"https://pee6w651.mirror.aliyuncs.com",
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com"
],
"dns": ["8.8.8.8","8.8.4.4"]
}
systemctl start docker
systemctl enable docker
拉鏡像,如果前面不配置國內鏡像源,會出現鏡像拉下來慢或斷流
docker pull jumpserver/jms_all
創建jms_all容器
docker run --name jms_all -d \
-v /opt/media:/opt/jumpserver/data/media \
-p 80:80 \
-p 2222:2222 \
-p 8070:8070 \
-p 8080:8080 \
-p 8081:8081 \
-p 5000:5000 \
-p 6379:6379 \
-e SECRET_KEY=$SECRET_KEY \
-e BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN \
-e DB_HOST=192.168.227.96 \
-e DB_PORT=3306 \
-e DB_USER=jumpserver \
-e DB_PASSWORD=$DB_PASSWORD \
-e DB_NAME=jumpserver \
-e REDIS_HOST=192.168.227.96 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD=$REDIS_PASSWORD \
jumpserver/jms_all:latest
