[系统运维] Jumpserver 源码搭建堡垒机 linux 持续更新

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 系统运维 -> Jumpserver 源码搭建堡垒机 linux 持续更新 -> 正文阅读

[系统运维]Jumpserver 源码搭建堡垒机 linux 持续更新

ing### 架构图
在这里插入图片描述
JumpServer 分为多个组件，大致的架构如上图所示。其中 Lina 和 Luna 为纯静态文件，最终由 nginx 整合，没有端口，core、koko、lion以服务的形式部署，有端口。
本文主要版本选择为2.15.3

组件版本

组件	版本	备注
Python	3.8.12	Core组件运行解释器
Mysql	5.7.37	数据存储本次部署为yum安装
Redis	6.2.5	数据缓存
Core	2.15.3	jumpserver核心组件
Nodejs	12.2.0	Lina、Luna编译
Lina	2.15.3	JumpServer 的前端 UI 项目，主要使用 Vue，Element UI 完成
Luna	2.15.3	JumpServer 的前端 UI 项目，主要使用 Angular CLI 完成
Go	1.15.1	Koko编译
Koko	2.15.3	Koko 是 Go 版本的 coco，重构了 coco 的 SSH/SFTP 服务和 Web Terminal 服务
Lion	2.15.3	实现 RDP/VNC 协议跳板机功能
Nginx	1.20.0	代理转发

安装包下载地址

官网地址
Python3.8.12
Redis6.2.5
Core2.15.3
Nodejs12.2.0
Lina2.15.3
Luna
Go1.15
Koko2.15.3
Lion2.15.3
Nginx1.20.0
guacamole-server1.3.0
GeoLite2-City.mmdb
国内地址
Python3.8.12
Redis6.2.5
Core2.15.3
Nodejs12.2.0
Lina2.15.3
Luna2.15.3
Go1.15.1
Koko2.15.3
Lion2.15.3
Nginx1.20.0
guacamole-server1.3.0
GeoLite2-City.mmdb

本文主要搭建参考：https://docs.jumpserver.org/zh/master/dev/build/

环境介绍

服务器版本	内网地址	备注
centos7.6	172.18.158.92	mysql、redis、core、python3、nodejs、lina、luna、go、koko、lion、nginx、guacamole-server

部署Core

一、源码安装python3

当前环境
卸载自带的python3

rpm -qa|grep python3 |xargs rpm -e --allmatches --nodeps

下载指定版本的python3

wget http://8.210.62.122/python/Python-3.8.12.tgz

安装编译工具

yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gcc make gdbm-devel db4-devel libpcap-devel xz-devel libffi-devel

解压

tar xf Python-3.8.12.tgz -C /usr/local/

编译

cd /usr/local/Python-3.8.12
./configure --prefix=/usr/local/python3
make && make install

配置环境变量

cat /etc/profile.d/python3.sh 
export PYTHON_HOME=/usr/local/python3
export PATH=$PYTHON_HOME/bin:$PATH

python3 -V
Python 3.8.12

参考文章：https://blog.csdn.net/weixin_45717886/article/details/123992330
二、yum安装mysql
8. 配置mysql yum仓库
官网地址
 国内地址

wget https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm
rpm -ivh mysql80-community-release-el7-1.noarch.rpm

修改安装mysql的yum源文件

[root@mysql ~]# vim /etc/yum.repos.d/mysql-community.repo
把安装5.7的源打开, 关闭安装8.0的源  1是开启 0是关闭
[root@mysql ~]# yum -y install mysql-community-server
[root@mysql ~]# systemctl start mysqld && systemctl enable mysqld

获取密码

grep "password" /var/log/mysqld.log

参考文章：https://blog.csdn.net/weixin_45717886/article/details/103411025

修改密码并创建授权用户

alter mysql.user '用户名'@'登入主机' identified by '密码';
create database jumpserver default charset utf8 collate utf8_general_ci;

grant all on jumpserver.* to 'jumpsever'@'127.0.0.1' identified by '密码';
grant all on jumpserver.* to 'jumpsever'@'localhost' identified by '密码';
grant all on jumpserver.* to 'jumpsever'@'172.18.%' identified by '密码'; #不是在同一台服务器时授权
flush privileges;

参考文章：https://editor.csdn.net/md/?articleId=103356082
三、安装redis

下载安装包

curl -O https://download.redis.io/releases/redis-6.2.5.tar.gz  #需要什么版本 就修改后面数字

解压

tar xf redis-6.2.5.tar.gz -C /usr/local/

编译

cd /usr/local/redis-6.2.5/
make PREFIX=/usr/local/redis install

配置环境变量

cat /etc/profile.d/redis.sh
export REDIS_HOME=/usr/local/redis
export PATH=$REDIS_HOME/bin:$PATH

source /etc/profile.d/redis.sh
redis-server --version
Redis server v=6.2.5 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=3ec1f34ab2699b91

redis配置文件

mkdir /usr/local/redis/{etc,data,log,run}  #创建目录
cp -ar /usr/local/redis-6.2.5/redis.conf /usr/local/redis/etc/  #拷贝redis配置文件

[root@localhost etc]# diff redis.conf /usr/local/redis-6.2.5/redis.conf 
75c75
< bind  0.0.0.0  #绑定监听ip
---
> bind 127.0.0.1 -::1
257c257
< daemonize yes  #开启redis后台进程启动 
---
> daemonize no
289c289
< pidfile /usr/local/redis/run/redis_6379.pid  
---
> pidfile /var/run/redis_6379.pid
302c302
< logfile /usr/local/redis/log/redis.log
---
> logfile ""
454c454
< dir /usr/local/redis/data  #RDB AOF文件存放路径
---
> dir ./
902d901

```shell
#配置文件
cat redis.conf |grep -v -E "^#|^$"
bind  0.0.0.0
protected-mode yes
port 6379
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize yes
pidfile /usr/local/redis/run/redis_6379.pid
loglevel notice
logfile /usr/local/redis/log/redis.log
databases 16
always-show-logo no
set-proc-title yes
proc-title-template "{title} {listen-addr} {server-mode}"
stop-writes-on-bgsave-error yes
rdbcompression yes
rdbchecksum yes
dbfilename dump.rdb
rdb-del-sync-files no
dir /usr/local/redis/data
replica-serve-stale-data yes
replica-read-only yes
repl-diskless-sync no
repl-diskless-sync-delay 5
repl-diskless-load disabled
repl-disable-tcp-nodelay no
replica-priority 100
acllog-max-len 128
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
replica-lazy-flush no
lazyfree-lazy-user-del no
lazyfree-lazy-user-flush no
oom-score-adj no
oom-score-adj-values 0 200 800
disable-thp yes
appendonly no
appendfilename "appendonly.aof"
appendfsync everysec
no-appendfsync-on-rewrite no
auto-aof-rewrite-percentage 100
auto-aof-rewrite-min-size 64mb
aof-load-truncated yes
aof-use-rdb-preamble yes
lua-time-limit 5000
slowlog-log-slower-than 10000
slowlog-max-len 128
latency-monitor-threshold 0
notify-keyspace-events ""
hash-max-ziplist-entries 512
hash-max-ziplist-value 64
list-max-ziplist-size -2
list-compress-depth 0
set-max-intset-entries 512
zset-max-ziplist-entries 128
zset-max-ziplist-value 64
hll-sparse-max-bytes 3000
stream-node-max-bytes 4096
stream-node-max-entries 100
activerehashing yes
client-output-buffer-limit normal 0 0 0
client-output-buffer-limit replica 256mb 64mb 60
client-output-buffer-limit pubsub 32mb 8mb 60
hz 10
dynamic-hz yes
aof-rewrite-incremental-fsync yes
rdb-save-incremental-fsync yes
jemalloc-bg-thread yes

内核参数调优

vim /etc/sysctl.conf
net.core.somaxconn=32768    #表示socket监听（listen）的backlog上限 默认为128
net.ipv4.tcp_max_syn_backlog=32768  
#backlog 参数控制的是三次握手后server端收到的client ack确认号之后的队列值，即全连接队列(accept queue)  默认为128
vm.overcommit_memory=1
#0表示内核会检查是否有足够的物理内存，有就允许，没有就拒绝； 默认为0
#1表示内核允许分配所有物理内存而不管当前内存使用状态如何；
#2表示内核允许分配超过物理内存和交换空间总和的内存。

大页内存动态分配，需要关闭让redis负责内存管理。
临时关闭
cat /sys/kernel/mm/transparent_hugepage/enabled
[always] madvise never
echo never > /sys/kernel/mm/transparent_hugepage/enabled
cat /sys/kernel/mm/transparent_hugepage/enabled
always madvise [never]
永久关闭
vim /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet transparent_hugepage=never"
GRUB_DISABLE_RECOVERY="true"

grub2-mkconfig -o /boot/grub2/grub.cfg
reboot  重启机器后使得设备的参数有效

cat /proc/cmdline 
BOOT_IMAGE=/vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet transparent_hugepage=never
[root@localhost ~]# cat /sys/kernel/mm/transparent_hugepage/enabled 
always madvise [never]

部分文章参考：https://blog.51cto.com/u_8026776/2074544

配置systemd管理redis服务
创建启动用户

useradd redis -M -s /sbin/nologin
chown -R redis.redis /usr/local/redis

cat /usr/lib/systemd/system/redis.service 
[Unit]
Description=Redis persistent key-value database
After=network.target

[Service]
ExecStart=/usr/local/redis/bin/redis-server /usr/local/redis/etc/redis.conf
Type=forking
User=redis
Group=redis
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl restart redis
systemctl enable redis

文章参考：https://blog.csdn.net/weixin_45717886/article/details/123754781

四、Core安装

下载core

wget http://8.210.62.122/jumpserver/jumpserver-2.15.3.tar.gz

解压core

tar -xf jumpserver-2.15.3.tar.gz -C /opt
cd /opt
mv jumpserver-2.15.3 jumpserver

下载GeoLite2-City.mmdb文件

cd /opt/jumpserver
wget http://8.210.62.122/jumpserver/GeoLite2-City.mmdb -O apps/common/utils/geoip/GeoLite2-City.mmdb

安装rpm依赖

yum -y install `cat requirements/rpm_requirements.txt`

安装python依赖
为 JumpServer 项目单独创建 python3 虚拟环境。

python3 -m venv /opt/py3
source /opt/py3/bin/activate

每次运行项目都需要先执行 source /opt/py3/bin/activate 载入此环境。
配置python3安装模块源

[root@jumpserver jumpserver]# cat ~/.pip/pip.conf 
[global]
index-url=http://mirrors.cloud.aliyuncs.com/pypi/simple/

[install]
trusted-host=mirrors.cloud.aliyuncs.com

pip3 install -U pip
pip3 install --upgrade pip
python3 -m pip install --upgrade setuptools

文章参考：https://stackoverflow.com/posts/62500932/edit

修改安装模块文件

[root@jumpserver jumpserver]# cat requirements/requirements.txt |grep huawei
#huaweicloud-sdk-python==1.0.21
注释这个模块 后面会手动安装

安装python项目的相关模块

pip install -r requirements/requirements.txt

手动安装huaweicloud-sdk-python模块

pip3 install huaweicloud-sdk-python

修改core配置文件

cp config_example.yml config.yml

[root@jumpserver jumpserver]# diff config.yml config_example.yml 
4c4
< SECRET_KEY: ******************************
---
> SECRET_KEY: 
8c8
< BOOTSTRAP_TOKEN: ********************
---
> BOOTSTRAP_TOKEN: 
13d12
< DEBUG: true
18d16
< LOG_LEVEL: DEBUG
25d22
< SESSION_EXPIRE_AT_BROWSER_CLOSE: true
41c38
< DB_PASSWORD: YingjiaN@123
---
> DB_PASSWORD:

完整版配置文件

# SECURITY WARNING: keep the secret key used in production secret!
# 加密密钥 生产环境中请修改为随机字符串，请勿外泄, 可使用命令生成
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: **************************

# SECURITY WARNING: keep the bootstrap token used in production secret!
# 预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制
# $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24;echo
BOOTSTRAP_TOKEN: *************

# Development env open this, when error occur display the full process track, Production disable it
# DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
# DEBUG: true
DEBUG: true

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# 日志级别
# LOG_LEVEL: DEBUG
LOG_LEVEL: DEBUG
# LOG_DIR: 

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# 浏览器Session过期时间，默认24小时, 也可以设置浏览器关闭则过期
# SESSION_COOKIE_AGE: 86400
# SESSION_EXPIRE_AT_BROWSER_CLOSE: false
SESSION_EXPIRE_AT_BROWSER_CLOSE: true

# Database setting, Support sqlite3, mysql, postgres ....
# 数据库设置
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# 使用单文件sqlite数据库
# DB_ENGINE: sqlite3
# DB_NAME: 
# MySQL or postgres setting like:
# 使用Mysql作为数据库
DB_ENGINE: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_USER: jumpserver
DB_PASSWORD: *****
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver 127.0.0.1:8080
# 运行时绑定端口
HTTP_BIND_HOST: 0.0.0.0
HTTP_LISTEN_PORT: 8080
WS_LISTEN_PORT: 8070

# Use Redis as broker for celery and web socket
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
# REDIS_PASSWORD:   开启后配置redis的登陆密码  
# REDIS_DB_CELERY: 3
# REDIS_DB_CACHE: 4

# Use OpenID Authorization
# 使用 OpenID 进行认证设置
# AUTH_OPENID: False # True or False
# BASE_SITE_URL: None
# AUTH_OPENID_CLIENT_ID: client-id
# AUTH_OPENID_CLIENT_SECRET: client-secret
# AUTH_OPENID_PROVIDER_ENDPOINT: https://op-example.com/
# AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: https://op-example.com/authorize
# AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: https://op-example.com/token
# AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: https://op-example.com/jwks
# AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: https://op-example.com/userinfo
# AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: https://op-example.com/logout
# AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
# AUTH_OPENID_PROVIDER_SIGNATURE_KEY: None
# AUTH_OPENID_SCOPES: "openid profile email"
# AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
# AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS: True
# AUTH_OPENID_USE_STATE: True
# AUTH_OPENID_USE_NONCE: True
# AUTH_OPENID_SHARE_SESSION: True
# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
# AUTH_OPENID_ALWAYS_UPDATE_USER: True

# Use Radius authorization
# 使用Radius来认证
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost
# RADIUS_PORT: 1812
# RADIUS_SECRET: 

# CAS 配置
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',  
# CAS_LOGOUT_COMPLETELY': True,
# CAS_VERSION': 3,

# LDAP/AD settings
# LDAP 搜索分页数量
# AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
#
# 定时同步用户
# 启用 / 禁用
# AUTH_LDAP_SYNC_IS_PERIODIC: True
# 同步间隔 (单位: 时) (优先）
# AUTH_LDAP_SYNC_INTERVAL: 12
# Crontab 表达式
# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
#
# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
#
# LDAP 认证时如果日志中出现以下信息将参数设置为 0 (详情参见：https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection
# AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1

# OTP settings
# OTP/MFA 配置
# OTP_VALID_WINDOW: 0
# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node
# 是否把未授权节点资产放入到 未分组 节点中
# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: False
#
# 同一账号仅允许在一台设备登录
# USER_LOGIN_SINGLE_MACHINE_ENABLED: False
#
# 启用定时任务
# PERIOD_TASK_ENABLED: True
#
# Windows 登录跳过手动输入密码
# WINDOWS_SKIP_ALL_MANUAL_PASSWORD: False

# 是否开启 Luna 水印
# SECURITY_WATERMARK_ENABLED: False

# 健康检查的token，默认是空
# HEALTH_CHECK_TOKEN: ''

# 浏览器关闭页面后，会话过期
# SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE: False

# 每次api请求，session续期
# SESSION_SAVE_EVERY_REQUEST: True

# 硬盘检查
# DISK_CHECK_ENABLED: True

# 仅允许用户从来源处登录
# ONLY_ALLOW_AUTH_FROM_SOURCE: False

# 仅允许已存在的用户登录，不允许第三方认证后，自动创建用户
# ONLY_ALLOW_EXIST_USER_AUTH: False

处理国际化

rm -f apps/locale/zh/LC_MESSAGES/django.mo
python apps/manage.py compilemessages

启动core
后台运行可以加 -d，./jms start -d

./jms start

启动成功后效果
在这里插入图片描述

文章参考：https://www.pythonf.cn/read/100015
部署完core 退出venv环境继续下面组件部署

部署Lina

安装、解压nodejs

wget http://8.210.62.122/jumpserver/node-v12.20.0-linux-x64.tar.xz
tar xf node-v12.20.0-linux-x64.tar.xz -C /usr/local
cd /usr/local
mv node-v12.20.0-linux-x64 node

配置nodejs环境变量

[root@jumpserver local]# cat /etc/profile.d/node.sh 
export NODE_HOME=/usr/local/node
export PATH=$NODE_HOME/bin:$PATH

source /etc/profile.d/node.sh

下载Lina

wget http://8.210.62.122/jumpserver/lina-2.15.3.tar.gz

解压lina

tar xf lina-2.15.3.tar.gz -C /opt

安装依赖

cd /opt/lina-2.15.3
npm config set sass_binary_site https://npm.taobao.org/mirrors/node-sass
npm config set registry https://registry.npm.taobao.org
npm install -g yarn
yarn config set registry https://registry.npm.taobao.org
yarn install

修改lina的配置文件

vim .env.development
# 全局环境变量 请勿随意改动
ENV = 'development'

# base api
VUE_APP_BASE_API = ''
VUE_APP_PUBLIC_PATH = '/ui/'

# vue-cli uses the VUE_CLI_BABEL_TRANSPILE_MODULES environment variable,
# to control whether the babel-plugin-dynamic-import-node plugin is enabled.
# It only does one thing by converting all import() to require().
# This configuration can significantly increase the speed of hot updates,
# when you have a large number of pages.
# Detail:  https://github.com/vuejs/vue-cli/blob/dev/packages/@vue/babel-preset-app/index.js

VUE_CLI_BABEL_TRANSPILE_MODULES = true

# External auth
VUE_APP_LOGIN_PATH = '/core/auth/login/'
VUE_APP_LOGOUT_PATH = '/core/auth/logout/'


# Dev server for core proxy
VUE_APP_CORE_HOST = 'http://localhost:8080/' #修改成 Core 的 url 地址 **localhost修改为域名 后面stmp邮件发送回以这个域名，如果是localhost，客户将无法打开链接。  如果没改 云服务器记得开放8080安全组**
VUE_APP_CORE_WS = 'http://localhost:8070/' #localhost修改为域名 
VUE_APP_ENV = 'development'

如果只是调试则使用如下命令运行，运行成功后会显示临时地址和端口号进行访问lina前端

yarn serve

如果是构建lina，使用如下命令进行编译生成lina包，直接和nginx部署

yarn build:prod

在这里插入图片描述

mv lina /opt

编译完成后在目录下面会生成lina文件夹，配合jumpserver.conf的lina配置部分进行配置即可，配置如下

server {
  listen 80;

  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  #gzip_http_version 1.0;
  gzip_comp_level 8;
  gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
  gzip_vary off;
  gzip_static on;
  gzip_disable "MSIE [1-6].";

  location /ui/ {
    try_files $uri / /ui/index.html;
    alias /opt/lina/;
  }

  location / {
      rewrite ^/(.*)$ /ui/$1 last;
  }
}

部署Luna

下载luna

wget http://8.210.62.122/jumpserver/luna-2.15.3.tar.gz

解压

tar xf luna-2.15.3.tar.gz -C /opt

安装依赖

cd /opt/luna-2.15.3
npm install
npm install --dev
npm rebuild node-sass

修改配置文件

cp proxy.conf.json proxy.conf.json.bak
[root@jumpserver luna-2.15.3]# cat proxy.conf.json
{
  "/koko": {
    "target": "http://localhost:5000",  # KoKo 地址 分开部署时配置其他服务器的ip
    "secure": false,
    "ws": true
  },
  "/media/": {
    "target": "http://localhost:8080",  # Core 地址   生产使用配置域名  测试用公网ip
    "secure": false,
    "changeOrigin": true
  },
  "/api/": {
    "target": "http://localhost:8080",  # Core 地址  生产使用配置域名  测试用公网ip
    "secure": false,                    # https ssl 需要开启
    "changeOrigin": true
  },
  "/core": {
    "target": "http://localhost:8080",  # Core 地址  生产使用配置域名  测试用公网ip
    "secure": false,
    "changeOrigin": true
  },
  "/static": {
    "target": "http://localhost:8080",  # Core 地址  生产使用配置域名  测试用公网ip
    "secure": false,
    "changeOrigin": true
  },
  "/lion": {
    "target": "http://localhost:9529",  # Lion 地址 分开部署时配置其他服务器的ip
    "secure": false,
    "pathRewrite": {
      "^/lion/monitor": "/monitor"
    },
    "ws": true,
    "changeOrigin": true
  },
  "/omnidb": {
    "target": "http://localhost:8082",
    "secure": false,
    "ws": true,
    "changeOrigin": true
  }
}

同lina一样，如果只是调试运行，运行如下命令：

npm install -g @angular/cli #选YES
ng servre #直接执行会报错

在这里插入图片描述
如果是构建luna，则运行如下命令

ng build --prod

在这里插入图片描述
缺少这个模块，手动下载

npm install crypto-js
再次构建
ng build --prod

在这里插入图片描述

[root@jumpserver luna-2.15.3]# cat nginx.conf 
server {
  listen 80;

  location /luna/ {
    try_files $uri / /index.html;
    alias /opt/luna/;
  }
}

部署Koko

安装、解压go

wget http://8.210.62.122/jumpserver/go1.15.linux-amd64.tar.gz
tar -xf go1.15.linux-amd64.tar.gz -C /usr/local/

配置go环境变量

[root@jumpserver luna-2.15.3]# cat /etc/profile.d/go.sh 
export GO_HOME=/usr/local/go
export PATH=$GO_HOME/bin:$PATH

source /etc/profile.d/go.sh

下载、解压koko

wget http://8.210.62.122/jumpserver/koko-2.15.3.tar.gz
tar xf koko-2.15.3.tar.gz -C /opt

编译

/opt/koko-2.15.3
make

报错执行

go env -w GOPROXY=https://goproxy.cn,direct

重新编译

make clean
make

在这里插入图片描述
会在build目录下生成该文件

修改koko配置文件

tar xzf koko---linux-amd64.tar.gz
cd koko---linux-amd64
[root@jumpserver koko---linux-amd64]# pwd
/opt/koko-2.15.3/build/koko---linux-amd64
cp config_example.yml config.yml

[root@jumpserver koko---linux-amd64]# cat config.yml 
# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
# NAME: 

# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://127.0.0.1:8080   # Core 的地址

# Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
# 请和jumpserver 配置文件中保持一致，注册完成后可以删除
BOOTSTRAP_TOKEN: ********  # 和 Core config.yml 的值保持一致

# 启动时绑定的ip, 默认 0.0.0.0
BIND_HOST: 0.0.0.0

# 监听的SSH端口号, 默认2222
SSHD_PORT: 2222            # 使用 0.0.0.0:2222

# 监听的HTTP/WS端口号，默认5000
HTTPD_PORT: 5000           # 使用 0.0.0.0:5000

# 项目使用的ACCESS KEY, 默认会注册,并保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以写到配置文件中, 格式 access_key_id:access_key_secret
# ACCESS_KEY: null

# ACCESS KEY 保存的地址, 默认注册后会保存到该文件中
# ACCESS_KEY_FILE: data/keys/.access_key

# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
LOG_LEVEL: DEBUG           # 开发建议设置 DEBUG, 生产环境推荐使用 ERROR

# SSH连接超时时间 (default 15 seconds)
# SSH_TIMEOUT: 15

# 语言 [en,zh]
# LANGUAGE_CODE: zh

# SFTP的根目录, 可选 /tmp, Home其他自定义目录
# SFTP_ROOT: /tmp

# SFTP是否显示隐藏文件
# SFTP_SHOW_HIDDEN_FILE: false

# 是否复用和用户后端资产已建立的连接(用户不会复用其他用户的连接)
# REUSE_CONNECTION: true

# 资产加载策略, 可根据资产规模自行调整. 默认异步加载资产, 异步搜索分页; 如果为all, 则资产全部加载, 本地搜索分页.
# ASSET_LOAD_POLICY:

# zip压缩的最大额度 (单位: M)
# ZIP_MAX_SIZE: 1024M

# zip压缩存放的临时目录 /tmp
# ZIP_TMP_PATH: /tmp

# 向 SSH Client 连接发送心跳的时间间隔 (单位: 秒)，默认为30, 0则表示不发送
# CLIENT_ALIVE_INTERVAL: 30

# 向资产发送心跳包的重试次数，默认为3
# RETRY_ALIVE_COUNT_MAX: 3

# 会话共享使用的类型 [local, redis], 默认local
# SHARE_ROOM_TYPE: local

# Redis配置
# REDIS_HOST: 127.0.0.1      # 如果需要部署多个 koko, 需要通过 redis 来保持会话
# REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_CLUSTERS:
# REDIS_DB_ROOM:
# 是否开启本地转发 (目前仅对 vscode remote ssh 有效果)
# ENABLE_LOCAL_PORT_FORWARD: false

# 是否开启 针对 vscode 的 remote-ssh 远程开发支持 (前置条件: 必须开启 ENABLE_LOCAL_PORT_FORWARD )
# ENABLE_VSCODE_SUPPORT: false

启动koko
后台运行可以加 -d，./koko -d

./koko

在这里插入图片描述

部署Lion

Lion 使用了 Apache 软件基金会的开源项目 Guacamole，JumpServer 使用 Golang 和 Vue 重构了 Guacamole 实现 RDP/VNC 协议跳板机功能。

下载、解压guacamole-server

wget http://8.210.62.122/jumpserver/guacamole-server-1.3.0.tar.gz
tar xf guacamole-server-1.3.0.tar.gz -C /opt

下载依赖

yum -y localinstall --nogpgcheck https://mirrors.aliyun.com/rpmfusion/free/el/rpmfusion-free-release-7.noarch.rpm
yum install -y cairo-devel libjpeg-turbo-devel libpng-devel libtool uuid-devel
yum install -y ffmpeg-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel libwebsockets-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel

构建 guacd

./configure --with-init-dir=/etc/init.d
make
make install
ldconfig

如果希望使用 systemd 管理, 可以使用 ./configure --with-systemd-dir=/etc/systemd/system/

./configure --with-systemd-dir=/etc/systemd/system/
make
make install
systemctl daemon-reload

下载、解压lion

wget http://8.210.62.122/jumpserver/lion-v2.15.3-linux-amd64.tar.gz
tar xf lion-v2.15.3-linux-amd64.tar.gz -C /opt

修改lion配置文件

cd /opt/lion-v2.15.3-linux-amd64
cp config_example.yml config.yml

# 项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
# NAME: {{ Hostname }}

# Jumpserver项目的url, api请求注册会使用
CORE_HOST: http://127.0.0.1:8080

# Bootstrap Token, 预共享秘钥, 用来注册使用的service account和terminal
# 请和jumpserver 配置文件中保持一致，注册完成后可以删除
BOOTSTRAP_TOKEN: ********

# 启动时绑定的ip, 默认 0.0.0.0
# BIND_HOST: 0.0.0.0
BIND_HOST: 0.0.0.0

# 监听的HTTP/WS端口号，默认8081
# HTTPD_PORT: 8081
HTTPD_PORT: 8081

# 设置日志级别 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
# LOG_LEVEL: INFO
LOG_LEVEL: DEBUG

# Guacamole Server ip， 默认127.0.0.1
# GUA_HOST: 127.0.0.1

# Guacamole Server 端口号，默认4822
# GUA_PORT: 4822

# 会话共享使用的类型 [local, redis], 默认local
# SHARE_ROOM_TYPE: local

# Redis配置
# REDIS_HOST: 127.0.0.1
# REDIS_PORT: 6379
# REDIS_PASSWORD:
# REDIS_DB_ROOM:

启动Guacd服务

systemctl restart guacd
systemctl enable guacd

在这里插入图片描述

启动Lion

./lion

放到后台启动
在这里插入图片描述

部署Nginx

安装nginx

wget http://8.210.62.122/nginx/scripts/install_ngix.sh
bash install_ngix.sh
[root@jumpserver lion-v2.15.3-linux-amd64]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
##可查看安装目录 配置文件目录

修改nginx.conf配置文件

[root@jumpserver conf]# cat nginx.conf |grep -Ev "^$|^*#"
user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log;
pid        /tmp/nginx/nginx.pid;
events {
    worker_connections  10240;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include /usr/local/nginx/conf/conf.d/*.conf;

修改jumpserver.conf配置文件

[root@jumpserver conf]# cat conf.d/jumpserver.conf 
server {
  listen 80;
  # server_name _;

  gzip on;
  gzip_min_length 1k;
  gzip_buffers 4 16k;
  #gzip_http_version 1.0;
  gzip_comp_level 8;
  gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
  gzip_vary off;
  gzip_static on;
  gzip_disable "MSIE [1-6].";

  client_max_body_size 5000m; #文件大小限制

  # Luna 配置
  location /luna/ {
    #proxy_pass http://luna:4200;
    try_files $uri / /index.html;
    alias /opt/dist/;
  }

  # Core data 静态资源
  location /media/replay/ {
    add_header Content-Encoding gzip;
    root /opt/jumpserver/data/;
  }

  location /media/ {
    root /opt/jumpserver/data/;
  }

  location /static/ {
    root /opt/jumpserver/data/;
  }

  # KoKo Lion 配置
  location /koko/ {
    proxy_pass       http://localhost:5000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  # lion 配置
  location /lion/ {
    proxy_pass http://localhost:8081;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_ignore_client_abort on;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 6000;
  }

  # Core 配置
  location /ws/ {
    proxy_pass http://localhost:8070;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /api/ {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  location /core/ {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

  # 前端 Lina
  location /ui/ {
#    proxy_pass http://localhost:9528;
#    proxy_set_header X-Real-IP $remote_addr;
#    proxy_set_header Host $host;
#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     try_files $uri / /ui/index.html;
     alias /opt/lina/;
  }

  location / {
    rewrite ^/(.*)$ /ui/$1 last;
  }
}

nginx 配置检查

[root@jumpserver conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#创建nginx命令软连接
ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

由于nginx.cof中pid目录不存在

mkdir /tmp/nginx

启动nginx

systemctl restart nginx

在这里插入图片描述
文章参考：https://www.jianshu.com/p/5a583c67e8aa
文章参考：https://blog.csdn.net/IT_ZRS/article/details/120587671
文章参考：https://www.jianshu.com/p/5a583c67e8aa
文章参考：https://blog.csdn.net/IT_ZRS/article/details/120587671
文章参考：https://blog.csdn.net/u013896064/article/details/122919250
文章参考：https://www.pythonf.cn/read/100015
文章参考：https://blog.csdn.net/weixin_38623994/article/details/106920048