原 【DB宝48】JumpServer:多云环境下更好用的堡垒机
Tags: 原创LinuxDocker安全JumpServer堡垒机
一、JumpServer简介
JumpServer 是全球首款开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 规范的运维安全审计系统。
JumpServer 使用 Python / Django 为主进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 方案,交互界面美观、用户体验好。
JumpServer 采纳分布式架构,支持多机房跨区域部署,支持横向扩展,无资产数量及并发限制。
官网网址:https://www.jumpserver.org/
文档:https://docs.jumpserver.org/zh/master/
GitHub:https://github.com/jumpserver/jumpserver
1.1、页面展示
1.2、特色优势
- 开源: 零门槛,线上快速获取和安装;
- 分布式: 轻松支持大规模并发访问;
- 无插件: 仅需浏览器,极致的 Web Terminal 使用体验;
- 多云支持: 一套系统,同时管理不同云上面的资产;
- 云端存储: 审计录像云端存储,永不丢失;
- 多租户: 一套系统,多个子公司和部门同时使用;
- 多应用支持: 数据库,Windows远程应用,Kubernetes。
1.3、功能列表
身份认证 Authentication | 登录认证 | 资源统一登录与认证 |
LDAP/AD 认证 | ||
RADIUS 认证 | ||
OpenID 认证(实现单点登录) | ||
CAS 认证 (实现单点登录) | ||
MFA认证 | MFA 二次认证(Google Authenticator) | |
RADIUS 二次认证 | ||
登录复核 | 用户登录行为受管理员的监管与控制:small_orange_diamond: | |
账号管理 Account | 集中账号 | 管理用户管理 |
系统用户管理 | ||
统一密码 | 资产密码托管 | |
自动生成密码 | ||
自动推送密码 | ||
密码过期设置 | ||
批量改密 | 定期批量改密:small_orange_diamond: | |
多种密码策略:small_orange_diamond: | ||
多云纳管 | 对私有云、公有云资产自动统一纳管:small_orange_diamond: | |
收集用户 | 自定义任务定期收集主机用户:small_orange_diamond: | |
密码匣子 | 统一对资产主机的用户密码进行查看、更新、测试操作:small_orange_diamond: | |
授权控制 Authorization | 多维授权 | 对用户、用户组、资产、资产节点、应用以及系统用户进行授权 |
资产授权 | 资产以树状结构进行展示 | |
资产和节点均可灵活授权 | ||
节点内资产自动继承授权 | ||
子节点自动继承父节点授权 | ||
应用授权 | 实现更细粒度的应用级授权 | |
MySQL 数据库应用、RemoteApp 远程应用:small_orange_diamond: | ||
动作授权 | 实现对授权资产的文件上传、下载以及连接动作的控制 | |
时间授权 | 实现对授权资源使用时间段的限制 | |
特权指令 | 实现对特权指令的使用(支持黑白名单) | |
命令过滤 | 实现对授权系统用户所执行的命令进行控制 | |
文件传输 | SFTP 文件上传/下载 | |
文件管理 | 实现 Web SFTP 文件管理 | |
工单管理 | 支持对用户登录请求行为进行控制:small_orange_diamond: | |
组织管理 | 实现多租户管理与权限隔离:small_orange_diamond: | |
安全审计 Audit | 操作审计 | 用户操作行为审计 |
会话审计 | 在线会话内容审计 | |
历史会话内容审计 | ||
录像审计 | 支持对 Linux、Windows 等资产操作的录像进行回放审计 | |
支持对 RemoteApp:small_orange_diamond:、MySQL 等应用操作的录像进行回放审计 | ||
指令审计 | 支持对资产和应用等操作的命令进行审计 | |
文件传输 | 可对文件的上传、下载记录进行审计 | |
数据库审计 Database | 连接方式 | 命令方式 |
Web UI方式 :small_orange_diamond: | ||
支持的数据库 | MySQL | |
Oracle :small_orange_diamond: | ||
MariaDB :small_orange_diamond: | ||
PostgreSQL :small_orange_diamond: | ||
功能亮点 | 语法高亮 | |
SQL格式化 | ||
支持快捷键 | ||
支持选中执行 | ||
SQL历史查询 | ||
支持页面创建 DB, TABLE | ||
会话审计 | 命令记录 | |
录像回放 |
1.4、架构图
- 首先前端是nginx提供的动态页面,可以通过浏览器来进行访问;
- 接着jumpserver为管理后台,管理员可以通过web页面进行资产管理、用户管理、资产授权等操作,用户可以通过web页面进行资产登录、文件管理等操作;
- coco 为ssh server和 web terminal server,用户可以使用自己的账户通过ssh或者web terminal访问ssh协议和telnet协议资产;
- Luna 为web terminal server前端页面,用户使用web terminal方式登录所需要的组件;
- Guacamole 为RDP协议和vnc协议资产组件,用户可以通过web terminal来连接RDP协议和vnc协议资产(暂时只能通过web terminal来访问);
1.5、端口说明
端口涉及如下端口:
- Jumpserver 默认端口为 8080/tcp ,浏览器访问的端口
- Coco 默认 SSH 端口为 2222/tcp,Web Terminal默认 端口为 5000/tcp ,通过ssh连接的时候使用的端口
- Guacamole 默认端口为 8081/tcp
- Nginx 默认端口为 80/tcp
- Redis 默认端口为 6379/tcp
- Mysql/Mariadb 默认端口为 3306/tcp
1.6、产品组件
Jumpserver:管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。
Coco:Coco为 SSH Server 和 Web Terminal Server。用户可以通过使用自己的账户登录 SSH 或者 Web Terminal直接访问被授权的资产。不需要知道服务器的账户和密码,现在 Coco 已经被 koko 取代。
Luna:luna 为 Web Terminal Server 前端页面,用户使用 Web Terminal 方式登录时所需要的插件。
Guacamole:Guacamole是一个开源项目,为远程桌面提供解决方案。Jumpserver 使用其组件实现 RDP和VNC 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。
二、安装JumpServer
- 极速安装:https://docs.jumpserver.org/zh/master/install/setup_by_fast/
- 完整文档:https://docs.jumpserver.org
- 演示视频:https://www.bilibili.com/video/BV1ZV41127GB
有2种安装方式,可以一键自动部署,也可以手动部署,建议一键自动部署。
2.1、一键自动部署
仅需两步快速安装 JumpServer:
- 准备一台 2核4G (最低)且可以访问互联网的 64 位 Linux 主机;
- 以 root 用户执行如下命令一键安装 JumpServer。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | -- 一键安装启动 curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash -- 注意:安装过程需要下载docker环境,重启docker,下载很多镜像,最后大约占用空间3g左右,安装时间大约30分钟。 [root@docker36 jumpserver-installer-v2.8.2]# docker images | grep jumpserver jumpserver/core v2.8.2 f3dd5c1946ec 2 days ago 1.01GB jumpserver/guacamole v2.8.2 8869e8512eec 2 days ago 824MB jumpserver/lina v2.8.2 98abb9179db1 2 days ago 27.9MB jumpserver/luna v2.8.2 d2e17fada2f6 2 days ago 27MB jumpserver/koko v2.8.2 40cdabc32153 2 days ago 426MB jumpserver/mysql 5 697daaecf703 3 months ago 448MB jumpserver/redis 6-alpine f731cd48185c 3 months ago 31.6MB jumpserver/nginx alpine2 b47070d178ad 18 months ago 18.5MB -- 若不能下载,请添加以下解析: echo " 13.229.188.59 github.com 199.232.4.133 raw.githubusercontent.com " >> /etc/hosts echo " nameserver 114.114.114.114 nameserver 8.8.8.8 nameserver 223.5.5.5 " > /etc/resolv.conf -- 启动 cd /opt/jumpserver-installer-v2.8.2/ ./jmsctl.sh start -- 会启动9个容器,创建一个网络叫jms_net,子网为:"192.168.250.0/24" -- 首次启动可能会报错,可以使用命令“docker logs -f jms_core --tail 200”查看,等表结构合并完毕后,确定该命令输出都是 ok, 没有 error, 重新 start 即可,详见https://docs.jumpserver.org/zh/master/install/setup_by_fast/ -- Web访问 http://192.168.66.36:8080 https://192.168.66.36:8443 (默认用户名密码为:admin/admin) -- 启动后的容器和状态 [root@docker36 jumpserver-installer-v2.8.2]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 26b95ecb8900 jumpserver/nginx:alpine2 "sh -c 'crond -b -d …" 57 seconds ago Up 51 seconds (healthy) 0.0.0.0:8080->80/tcp, 0.0.0.0:8443->443/tcp jms_nginx 9c25659c23c4 jumpserver/luna:v2.8.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 80/tcp jms_luna c8d74738aaa2 jumpserver/lina:v2.8.2 "/docker-entrypoint.…" About a minute ago Up About a minute (healthy) 80/tcp jms_lina bc24581c6d0a jumpserver/koko:v2.8.2 "./entrypoint.sh" About a minute ago Up About a minute (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_koko cc17285dc6ec jumpserver/guacamole:v2.8.2 "/init" About a minute ago Up About a minute (healthy) 8080/tcp jms_guacamole edac0a216aa3 jumpserver/core:v2.8.2 "./entrypoint.sh sta…" About a minute ago Up About a minute (healthy) 8070/tcp, 8080/tcp jms_celery 2ca03ab4d62d jumpserver/core:v2.8.2 "./entrypoint.sh sta…" 11 minutes ago Up 11 minutes (healthy) 8070/tcp, 8080/tcp jms_core 69e9bdede65f jumpserver/redis:6-alpine "docker-entrypoint.s…" 13 minutes ago Up 13 minutes (healthy) 6379/tcp jms_redis c73896dc22ad jumpserver/mysql:5 "docker-entrypoint.s…" 13 minutes ago Up 13 minutes (healthy) 3306/tcp, 33060/tcp jms_mysql [root@docker36 jumpserver-installer-v2.8.2]# [root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh status Name Command State Ports ----------------------------------------------------------------------------------------------------------- jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp jms_guacamole /init Up (healthy) 8080/tcp jms_koko ./entrypoint.sh Up (healthy) 0.0.0.0:2222->2222/tcp, 5000/tcp jms_lina /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp jms_luna /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp jms_mysql docker-entrypoint.sh --cha ... Up (healthy) 3306/tcp, 33060/tcp jms_nginx sh -c crond -b -d 8 && ngi ... Up (healthy) 0.0.0.0:8443->443/tcp, 0.0.0.0:8080->80/tcp jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp |
执行过程:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 | [root@docker36 ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.8.2/quick_start.sh | bash download install script to /opt/jumpserver-installe (开始下载安装脚本到 /opt/jumpserver-installe) ██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗ ██║██║ ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║ ██║██╔════╝██╔══██╗ ██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝ ██ ██║██║ ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝ ██╔══██╗╚██╗ ██╔╝██╔══╝ ██╔══██╗ ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║ ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ Version: v2.8.2 语言 Language (cn/en) (default cn): >>> Install and Configure Docker 1. Install Docker Starting to download Docker engine ... complete Starting to download Docker Compose binary ... complete 2. Configure Docker 是否需要自定义 Docker 数据目录, 默认将使用 /var/lib/docker 目录? (y/n) (default n): complete 3. Start Docker Docker version has changed or Docker configuration file has been changed, do you want to restart? (y/n) (default y): complete >>> Loading Docker Image [jumpserver/redis:6-alpine] 6-alpine: Pulling from jumpserver/redis 05e7bc50f07f: Pull complete 14c9d57a1c7f: Pull complete ccd033d7ec06: Pull complete 6ff79b059f99: Pull complete d91237314b77: Pull complete c47d41ba6aa8: Pull complete Digest: sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis:6-alpine Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/redis@sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18 [jumpserver/mysql:5] 5: Pulling from jumpserver/mysql 6ec7b7d162b2: Pull complete fedd960d3481: Pull complete 7ab947313861: Pull complete 64f92f19e638: Pull complete 3e80b17bff96: Pull complete 014e976799f9: Pull complete 59ae84fee1b3: Pull complete 7d1da2a18e2e: Pull complete 301a28b700b9: Pull complete 979b389fc71f: Pull complete 403f729b1bad: Pull complete Digest: sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql:5 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/mysql@sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd [jumpserver/nginx:alpine2] alpine2: Pulling from jumpserver/nginx c87736221ed0: Pull complete 6ff0ab02fe54: Pull complete e5b318df7728: Pull complete b7a5a4fe8726: Pull complete Digest: sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx:alpine2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/nginx@sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112 [jumpserver/luna:v2.8.2] v2.8.2: Pulling from jumpserver/luna 801bfaa63ef2: Pull complete b1242e25d284: Pull complete 7453d3e6b909: Pull complete 07ce7418c4f8: Pull complete e295e0624aa3: Pull complete 4363a3b6ab61: Pull complete 7270d1c7bfd7: Pull complete Digest: sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/luna@sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca [jumpserver/core:v2.8.2] v2.8.2: Pulling from jumpserver/core 6ec7b7d162b2: Already exists 80ff6536d04b: Pull complete 2d04da85e485: Pull complete 998aa32a5c8a: Pull complete 7733ef26f344: Pull complete d441f02b2497: Pull complete 64cad81ca92c: Pull complete cf134c77199b: Pull complete 5c09bcf88bcf: Pull complete fe2b4e1dc49b: Pull complete 328b09a36265: Pull complete c5b2c15fd6d6: Pull complete 88d58a6b84f5: Pull complete Digest: sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/core@sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2 [jumpserver/koko:v2.8.2] v2.8.2: Pulling from jumpserver/koko 6d28e14ab8c8: Pull complete 0df8b93ef734: Pull complete 64e864129ede: Pull complete 0a873335f747: Pull complete 72734be47e36: Pull complete 210e6f3fd739: Pull complete 68eb2bfabdf9: Pull complete 2b514aadeb8d: Pull complete b06884356f2d: Pull complete 48b4106b3314: Pull complete c06b5a09cb3a: Pull complete 52981c83908c: Pull complete 4a31deb17aed: Pull complete 8080af3428ec: Pull complete d45214541239: Pull complete Digest: sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/koko@sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27 [jumpserver/guacamole:v2.8.2] v2.8.2: Pulling from jumpserver/guacamole 6c33745f49b4: Pull complete ef072fc32a84: Pull complete c0afb8e68e0b: Pull complete d599c07d28e6: Pull complete e8a829023b97: Pull complete 2709df21cc5c: Pull complete 3bfb431a8cf5: Pull complete bb9822eef866: Pull complete 5842bda2007b: Pull complete 453a23f25fcb: Pull complete 95325cfda054: Pull complete d0bba8ca7733: Pull complete 77ed1f7e99c3: Pull complete 7c218a3bc8c8: Pull complete b9b23e074906: Pull complete 6eb77dc135e9: Pull complete 5805059e25b4: Pull complete 8687f3be3de5: Pull complete b3a371cb4926: Pull complete 0e0115337931: Pull complete 8871470a6d50: Pull complete 0983df4b79d8: Pull complete 97e3ae311d7b: Pull complete 033a9d7411c6: Pull complete Digest: sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/guacamole@sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775 [jumpserver/lina:v2.8.2] v2.8.2: Pulling from jumpserver/lina 801bfaa63ef2: Already exists b1242e25d284: Already exists 7453d3e6b909: Already exists 07ce7418c4f8: Already exists e295e0624aa3: Already exists f2cd4bacfc5e: Pull complete 16594fe0b0fc: Pull complete Digest: sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5 Status: Downloaded newer image for swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina:v2.8.2 Untagged: swr.cn-south-1.myhuaweicloud.com/jumpserver/lina@sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5 >>> Install and Configure JumpServer 1. Check Configuration File Path to Configuration file: /opt/jumpserver/config /opt/jumpserver/config/config.txt [ √ ] /opt/jumpserver/config/nginx/lb_http_server.conf [ √ ] /opt/jumpserver/config/nginx/lb_ssh_server.conf [ √ ] /opt/jumpserver/config/core/config.yml [ √ ] /opt/jumpserver/config/koko/config.yml [ √ ] /opt/jumpserver/config/mysql/my.cnf [ √ ] /opt/jumpserver/config/redis/redis.conf [ √ ] complete 2. Configure Nginx configuration file: /opt/jumpserver/config/nginx/cert /opt/jumpserver/config/nginx/cert/server.crt [ √ ] /opt/jumpserver/config/nginx/cert/server.key [ √ ] complete 3. Backup Configuration File Back up to /opt/jumpserver/config/backup/config.txt.2021-03-26_10-26-53 complete 4. Configure Network Do you want to support IPv6? (y/n) (default n): complete 5. Configure Private Key SECRETE_KEY: ICAgICAgICBUWCBlcnJvcnMgMCAgZHJvcHBlZCAwIG92ZXJyd BOOTSTRAP_TOKEN: ICAgICAgICBUWCBl complete 6. Configure Persistent Directory Do you need custom persistent store, will use the default directory /opt/jumpserver? (y/n) (default n): complete 7. Configure MySQL Do you want to use external MySQL? (y/n) (default n): complete 8. Configure Redis Do you want to use external Redis? (y/n) (default n): complete >>> The Installation is Complete 1. You can use the following command to start, and then visit ./jmsctl.sh start 2. Other management commands ./jmsctl.sh stop ./jmsctl.sh restart ./jmsctl.sh backup ./jmsctl.sh upgrade For more commands, you can enter ./jmsctl.sh --help to understand 3. Web access http://172.17.0.3:8080 https://172.17.0.3:8443 Default username: admin Default password: admin 4. SSH/SFTP access ssh admin@172.17.0.3 -p2222 sftp -P2222 admin@172.17.0.3 5. More information Offical Website: https://www.jumpserver.org/ Documentation: https://docs.jumpserver.org/ [root@docker36 ~]# cd /opt/jumpserver-installer-v2.8.2/ [root@docker36 jumpserver-installer-v2.8.2]# ll 总用量 28 drwxrwxr-x 3 root root 4096 3月 18 14:41 compose -rw-rw-r-- 1 root root 1863 3月 18 14:41 config-example.txt drwxrwxr-x 7 root root 80 3月 18 14:41 config_init -rwxrwxr-x 1 root root 5503 3月 18 14:41 jmsctl.sh drwxrwxr-x 4 root root 27 3月 18 14:41 locale -rw-rw-r-- 1 root root 2603 3月 18 14:41 README.md drwxrwxr-x 2 root root 4096 3月 18 14:41 scripts -rw-rw-r-- 1 root root 46 3月 26 11:54 static.env drwxrwxr-x 2 root root 39 3月 18 14:41 utils [root@docker36 jumpserver-installer-v2.8.2]# ./jmsctl.sh start Creating network "jms_net" with driver "bridge" Creating jms_redis ... done Creating jms_mysql ... done Creating jms_core ... done Creating jms_celery ... done Creating jms_guacamole ... done Creating jms_lina ... done Creating jms_koko ... done Creating jms_luna ... done Creating jms_nginx ... done |
提示:第一次登陆时,它会让我们重设密码;
提示:重设密码后,重新登录,jumpserver的首页就是下图这样;后续我们就可以在这个界面来管理内网服务器了;到此jumpserver服务器就搭建好了;
2.2、手动部署
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 | cd /opt yum -y install wget wget https://github.com/jumpserver/installer/releases/download/v2.8.2/jumpserver-installer-v2.8.2.tar.gz tar -xf jumpserver-installer-v2.8.2.tar.gz cd jumpserver-installer-v2.8.2 cat config-example.txt # 以下设置如果为空系统会自动生成随机字符串填入 ## 迁移请修改 SECRET_KEY 和 BOOTSTRAP_TOKEN 为原来的设置 ## 安装配置 DOCKER_IMAGE_PREFIX=swr.cn-south-1.myhuaweicloud.com VOLUME_DIR=/opt/jumpserver DOCKER_DIR=/var/lib/docker SECRET_KEY= BOOTSTRAP_TOKEN= LOG_LEVEL=ERROR ## 使用外置 MySQL 配置 USE_EXTERNAL_MYSQL=0 DB_HOST=mysql DB_PORT=3306 DB_USER=root DB_PASSWORD= DB_NAME=jumpserver ## 使用外置 Redis 配置 USE_EXTERNAL_REDIS=0 REDIS_HOST=redis REDIS_PORT=6379 REDIS_PASSWORD= ## Compose 项目设置 COMPOSE_PROJECT_NAME=jms COMPOSE_HTTP_TIMEOUT=3600 DOCKER_CLIENT_TIMEOUT=3600 DOCKER_SUBNET=192.168.250.0/24 ## IPV6 DOCKER_SUBNET_IPV6=2001:db8:10::/64 USE_IPV6=0 ## Nginx 配置,这个 Nginx 是用来分发路径到不同的服务 HTTP_PORT=80 HTTPS_PORT=443 SSH_PORT=2222 ## LB 配置, 这个 Nginx 是 HA 时可以启动负载均衡到不同的主机 USE_LB=0 LB_HTTP_PORT=80 LB_HTTPS_PORT=443 LB_SSH_PORT=2222 ## Task 配置 USE_TASK=1 ## XPack USE_XPACK=0 # Mysql 容器配置 MYSQL_ROOT_PASSWORD= MYSQL_DATABASE=jumpserver # Core 配置 # SESSION_COOKIE_AGE=86400 SESSION_EXPIRE_AT_BROWSER_CLOSE=true ### Keycloak 配置方式 ### AUTH_OPENID=true ### BASE_SITE_URL=https://jumpserver.company.com/ ### AUTH_OPENID_SERVER_URL=https://keycloak.company.com/auth ### AUTH_OPENID_REALM_NAME=cmp ### AUTH_OPENID_CLIENT_ID=jumpserver ### AUTH_OPENID_CLIENT_SECRET= ### AUTH_OPENID_SHARE_SESSION=true ### AUTH_OPENID_IGNORE_SSL_VERIFICATION=true # Koko 配置 CORE_HOST=http://core:8080 # Guacamole 配置 JUMPSERVER_SERVER=http://core:8080 JUMPSERVER_KEY_DIR=/config/guacamole/data/key/ JUMPSERVER_RECORD_PATH=/config/guacamole/data/record/ JUMPSERVER_DRIVE_PATH=/config/guacamole/data/drive/ JUMPSERVER_ENABLE_DRIVE=true JUMPSERVER_CLEAR_DRIVE_SESSION=true JUMPSERVER_CLEAR_DRIVE_SCHEDULE=24 |
三、JumpServer使用说明
- 视频教程 JumpServer 从入门到精通:https://www.bilibili.com/video/BV19D4y1S7s4
- 官网:https://jumpserver.readthedocs.io/zh/master/admin-guide/quick_start/
3.1、系统设置
3.1.1、基本设置
名称 | 示例 | 备注 |
---|---|---|
当前站点URL | https://demo.jumpserver.org | 不设置的话,邮件收到的地址为 http://localhost |
用户向导URL | 用户首次登陆可以看到此 超链接 ,可以不设置 | |
忘记密码URL | 使用了 LDAP, OPENID 等外部认证系统,可以自定义 |
基本设置是必须设置当前jumpserver的url。
3.1.2、邮件设置
必须设置才能使用与邮件相关的功能
不可以同时勾选 使用SSL
和 使用TLS
名称 | 示例 | 备注 |
---|---|---|
SMTP主机 | smtp.qq.com | 服务商提供的 smtp 服务器 |
SMTP端口 | 25 | 通常是 25 |
SMTP账号 | 296015668@qq.com | 通常是 user@domain.com |
SMTP密码 | **** | 每次 测试连接 都需要重新输入密码 |
使用SSL | [ ] | 如果端口使用 465 ,必须勾选此项 |
使用TLS | [ ] | 如果端口使用 587 ,必须勾选此项 |
发件人 | 296015668@qq.com | 测试连接 必须要输入 |
主题前缀 | [JMS] | 邮件的标题,收到的邮件是 [JMS] 开头 |
测试收件人 | 296015668@qq.com | 测试连接必填 |
在系统设置--->邮件设置,把对应的账号信息,邮件服务器信息都填写好,然后测试连接,如果可以正常收到邮件,说明邮件服务器信息和邮件用户名密码没有问题;最后点提交;
和邮件主题前缀;这样在用户收到邮件中的链接都会指向这个jumpserver的url;
收到邮件: