Jumpserver-安装文档
最新版本是docker安装,建议centos7+
数据库安装
略……
安装redis
cd /usr/local/src && wget https://download.redis.io/releases/redis-6.2.2.tar.gz
tar xzf redis-6.2.2.tar.gz && cd redis-6.2.2
make && make PREFIX=/usr/local/redis install
install -o root -g root -m 755 utils/redis_init_script /etc/init.d/redis
sed -i 's#/usr/local/bin#/usr/local/redis/bin#g' /etc/init.d/redis
grep 'vm.overcommit_memory = 1' /etc/sysctl.conf || echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf
sysctl -p
mkdir -pv /etc/redis
[ -f /etc/redis/6379.conf ] || wget -O /etc/redis/6379.conf https://raw.githubusercontent.com/redis/redis/6.0/redis.conf
# 配置调整
# vim /etc/redis/6379.conf
grep -v '^#' /etc/redis/6379.conf | grep requirepass || sed -i '/# requirepass/a requirepass 密码' /etc/redis/6379.conf
sed -i 's/bind 127.0.0.1/bind 0.0.0.0/g' /etc/redis/6379.conf
sed -i 's/daemonize no/daemonize yes/g' /etc/redis/6379.conf
# 启动
/etc/init.d/redis start
# chkconfig on redis
systemctl enable redis
手动部署
不要使用快速部署,因为用的是doker的数据库和doker的redis
准备阶段
# 开启转发
# 存在第一条net.ipv4.ip_forward=0,ansible会删除net.ipv4.ip_forward = 1
sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
# 没有生效则追加
sysctl -p|grep -q 'net.ipv4.ip_forward = 1' || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf && sysctl -p | grep ip_forward
# 数据库授权
# 初始化流程说明:
# 4. Configure MySQL 这里用的是默认网络,所以数据库获取到客户端的ip是:172.17.0.x
# 测试命令:docker run -i --rm "${mysql_images}" mysql -h"${host}" -P"${port}" -u"${user}" -p"${password}" "${db}" -e "${command}" 2>/dev/null
# 7. Init JumpServer Database
# 这里才创建网络,默认网段:192.168.250.0/24,所以数据库获取到客户端的ip是:192.168.250.x
# Creating network "jms_net" with driver "bridge"
CREATE DATABASE `jumpserver` /*!40100 DEFAULT CHARACTER SET utf8mb4 */;
# 默认网络权限:172.17.0.0/24,这个权限部署完成以后可以回收
CREATE USER 'jumpserver'@'172.17.0.%' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON `jumpserver`.* TO 'jumpserver'@'172.17.0.%';
# jms_net网络权限:192.168.250.0/24
CREATE USER 'jumpserver'@'192.168.250.%' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON `jumpserver`.* TO 'jumpserver'@'192.168.250.%';
# 数据库权限测试
# 默认网络
# docker run -it jumpserver/mysql:5 /bin/bash
# jms_net网络
# docker run --network jms_net -it jumpserver/mysql:5 /bin/bash
# 测试命令
# mysql -h192.168.1.188 -P3306 -ujumpserver -p123456 jumpserver -e 'show grants;'
# 容器操作
# docker inspect 44fc0f0582d9
# 进入容器最佳命令(exec)
# docker exec -it jms_mysql /bin/bash
# 退出容器
# exit
防火墙
防火墙只能授权,不能关闭
不要轻易重启防火墙,因为docker的规则会被清除,需要重新生效的话只能重启docker服务
# --permanent 用于持久化
# -A INPUT -s 172.17.0.0/24 -p tcp --dport 3306 -j ACCEPT
# -A INPUT -s 172.17.0.0/24 -p tcp --dport 6379 -j ACCEPT
# -A INPUT -s 192.168.250.0/24 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -s 172.17.0.0/24 --dport 3306 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 1 -m tcp -p tcp -s 172.17.0.0/24 --dport 6379 -j ACCEPT
# 重新加载
firewall-cmd --reload
# 需要重启docker服务
systemctl restart docker.service
部署
cd /opt
wget https://github.com/jumpserver/installer/releases/download/v2.15.4/jumpserver-installer-v2.15.4.tar.gz
tar -xf jumpserver-installer-v2.15.4.tar.gz && cd jumpserver-installer-v2.15.4
# mkdir -pv /opt/jumpserver/config
# cp config-example.txt /opt/jumpserver/config/config.txt
./jmsctl.sh install
# 4. Configure MySQL
# 数据库配置为:宿主内网ip,网关会自动路由
# 5. Configure Redis
# 地址为:宿主内网ip,网关会自动路由
# 7. Init JumpServer Database
# 这里才创建网络,客户端初始化的ip地址是:192.168.250.x
# Creating network "jms_net" with driver "bridge"
# 初始化完成后可以删除数据库测试权限
DROP USER 'jumpserver'@'172.17.0.%';
启动
./jmsctl.sh start
# 容易启动错误,执行一下命令查看
# docker logs -f jms_core --tail 200
证书以及域名替换
新版本已经解决此问题,可以不使用https连接luna
web终端luna通过ip访问,会直接报错:Connection error和Connection closed
chrome访问wss具体报错:failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
edge访问wss具体报错:failed: Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID # 说明证书问题
# 域名修改
vim /opt/jumpserver/config/nginx/lb_http_server.conf
# 证书替换
ll /opt/jumpserver/config/nginx/cert/
单节点宿主配置443端口
新版本已解决,注意需要nginx编译session_sticky模块(单节点实际上没有需求)
https://www.cnblogs.com/tssc/p/7481885.html
upstream core_web {
# 用户连接时使用 ip_hash 负载
server 127.0.0.1:8080;
# server 192.168.100.22:8080;
sticky;
}
upstream core_task {
# use_task = 1 的任务服务器, 目前只能单任务运行
server 127.0.0.1:8080;
}
server {
listen 80;
server_name jump.zaza.com; # 自行修改成你的域名
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name jump.zaza.com; # 自行修改成你的域名
ssl_certificate /opt/jumpserver/config/nginx/cert/server.crt; # 自行设置证书
ssl_certificate_key /opt/jumpserver/config/nginx/cert/server.key; # 自行设置证书
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
client_max_body_size 4096m; # 录像上传大小限制
location ~ /replay/ {
proxy_pass http://core_web;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ /(ops|task|tasks|flower)/ {
proxy_pass http://core_task;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /ws/ {
proxy_pass http://core_task/ws/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://core_web;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
访问
- 原文作者:zaza
- 原文链接:https://zazayaya.github.io/2021/04/25/jumpserver-install.html
- 说明:转载本站文章请标明出处,部分资源来源于网络,如有侵权请及时与我联系!