# JumpServer 是什么,安装JumpServer
# JumpServer 是什么
JumpServer 是广受欢迎的开源堡垒机,是符合 4A 规范的专业运维安全审计系统。JumpServer 帮助企业以更安全的方式管控和登录所有类型的资产,实现事前授权、事中监察、事后审计,满足等保合规要求。
https://docs.jumpserver.org/zh/v3/#1-jumpserver
# JumpServer 堡垒机支持的资产类型包括
- SSH (Linux / Unix / 网络设备 等)
- Windows (Web 方式连接 / 原生 RDP 连接)
- 数据库 (MySQL / MariaDB / Oracle / SQLServer / PostgreSQL / ClickHouse 等)
- NoSQL (Redis / MongoDB 等)
- GPT (ChatGPT 等)
- 云服务 (Kubernetes / VMware vSphere 等)
- Web 站点 (各类系统的 Web 管理后台)
- 应用 (通过 Remote App 连接各类应用)
我选择单机部署安装,系统centos7,IP: 192.168.1.2
# cd /opt
# curl -sSL https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
1
2
3
2
3
参考: https://docs.jumpserver.org/zh/v3/installation/setup_linux_standalone/online_install/
运行完成之后,下载了如下docker镜像
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
jumpserver/web v3.6.2 968c5acbb280 4 days ago 1.53GB
jumpserver/chen v3.6.2 35f659cc7c52 4 days ago 568MB
jumpserver/core v3.6.2 8ca03c14c829 4 days ago 1.57GB
jumpserver/magnus v3.6.2 ddc825b66411 4 days ago 159MB
jumpserver/lion v3.6.2 53dcfd817496 4 days ago 237MB
jumpserver/koko v3.6.2 58fe7a4c7e94 4 days ago 1.01GB
jumpserver/kael v3.6.2 b3a59ea024c6 4 days ago 278MB
jumpserver/mariadb 10.6 aac2cf878de9 9 months ago 405MB
jumpserver/redis 6.2 48da0c367062 9 months ago 113MB
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
运行了10个docker实例
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aad48a2d03bf jumpserver/magnus:v3.6.2 "./entrypoint.sh" 17 minutes ago Up 15 minutes (healthy) 0.0.0.0:33061-33062->33061-33062/tcp, :::33061-33062->33061-33062/tcp, 0.0.0.0:63790->63790/tcp, :::63790->63790/tcp jms_magnus
1f758dd2c837 jumpserver/core:v3.6.2 "./entrypoint.sh sta…" 17 minutes ago Up 16 minutes (healthy) 8080/tcp jms_celery
fe7c9296905e jumpserver/lion:v3.6.2 "./entrypoint.sh" 17 minutes ago Up 16 minutes (healthy) 4822/tcp, 8081/tcp jms_lion
a50c14135836 jumpserver/chen:v3.6.2 "./entrypoint.sh" 17 minutes ago Up 16 minutes (healthy) 8082/tcp jms_chen
cdcbb89e5238 jumpserver/kael:v3.6.2 "./entrypoint.sh" 17 minutes ago Up 16 minutes (healthy) 8083/tcp jms_kael
db9d436dd96c jumpserver/koko:v3.6.2 "./entrypoint.sh" 17 minutes ago Up 16 minutes (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 5000/tcp jms_koko
fe47d20a2d99 jumpserver/web:v3.6.2 "/docker-entrypoint.…" 17 minutes ago Up 3 seconds (health: starting) 0.0.0.0:80->80/tcp, :::80->80/tcp jms_web
73b2defbf1ac jumpserver/core:v3.6.2 "./entrypoint.sh sta…" 17 minutes ago Up 17 minutes (healthy) 8080/tcp jms_core
4a71a6ef66ae jumpserver/redis:6.2 "docker-entrypoint.s…" 44 minutes ago Up 44 minutes (healthy) 6379/tcp jms_redis
e1fff68fae3c jumpserver/mariadb:10.6 "docker-entrypoint.s…" 44 minutes ago Up 44 minutes (healthy) 3306/tcp jms_mysql# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4ca2d352ed4c jumpserver/core:v3.6.2 "./entrypoint.sh sle…" 2 minutes ago Up About a minute 8080/tcp jms_core
4a71a6ef66ae jumpserver/redis:6.2 "docker-entrypoint.s…" 2 minutes ago Up 2 minutes (healthy) 6379/tcp jms_redis
e1fff68fae3c jumpserver/mariadb:10.6 "docker-entrypoint.s…" 2 minutes ago Up 2 minutes (healthy) 3306/tcp jms_mysql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
首次安装后需要修改配置文件,定义 DOMAINS 字段后即可正常使用 如果服务器是一键安装并且旧版本就已经使用 JumpServer 开启了 HTTPS,则不需要进行任何更改。 需要使用 IP 地址来访问 JumpServer 的场景,可以根据自己的 IP 类型来填写 config.txt 配置文件中 DOMAINS 字段为公网 IP 还是内网 IP。
# 打开config.txt 配置文件,定义 DOMAINS 字段
vim /opt/jumpserver/config/config.txt
# 可信任 DOMAINS 定义,
# 定义可信任的访问 IP, 请根据实际情况修改, 如果是公网 IP 请改成对应的公网 IP,
# DOMAINS="demo.jumpserver.org" # 使用域名访问
# DOMAINS="172.17.200.191" # 使用 IP 访问
# DOMAINS="demo.jumpserver.org,172.17.200.191" # 使用 IP 和 域名一起访问
DOMAINS=
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# 登录后台
安装成功后,通过浏览器访问登录 JumpServer
地址: http://<JumpServer服务器IP地址>:<服务运行端口>
http://192.168.1.2/core/auth/login/
用户名: admin
密码: admin
根据提示修改密码
# 修改配置文件
vim /opt/jumpserver/config/config.txt
HTTP_PORT=80 改成 81 # 因为本机的nginx冲突了
DOMAINS=jms.xgss.net
1
2
3
4
2
3
4
# jumpserver常用命令
cd /opt/jumpserver-installer-v3.6.2
# 启动
./jmsctl.sh start
# 停止
./jmsctl.sh down
# 卸载
./jmsctl.sh uninstall
# 帮助
./jmsctl.sh -h
# 开机启动
echo '/opt/jumpserver-installer-v3.6.2/jmsctl.sh start' >> /etc/rc.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 反向代理
域名: jms.xgss.net
# HTTP配置
server {
listen 80;
server_name jms.xgss.net; # 自行修改成你的域名
access_log /data/wwwroot/log/jms.xgss.net-access.log main_aliyun;
error_log /dev/null;
client_max_body_size 4096m; # 上传文件大小限制
location / {
# 这里的 ip 是后端 JumpServer nginx 的 ip
proxy_pass http://127.0.0.1:81;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# HTTPS配置
server {
listen 80;
server_name demo.jumpserver.org; # 自行修改成你的域名
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name demo.jumpserver.org; # 自行修改成你的域名
ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # 自行设置证书
ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # 自行设置证书
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 4096m; # 录像及文件上传大小限制
location / {
# 这里的 ip 是后端 JumpServer nginx 的 ip
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 使用域名登录
