如何搭建jumpserver堡垒机？

一、准备环境
$ firewall-cmd --zone=public --add-port=80/tcp --permanent # nginx 端口
$ firewall-cmd --zone=public --add-port=2222/tcp --permanent # 用户SSH登录端口 coco

$ firewall-cmd --reload # 重新载入规则

$ setenforce 0
$ sed -i "s/enforcing/disabled/g" /etc/selinux/config

#修改字符集,否则可能报 input/output error的问题,因为日志里打印了中文
$ localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
$ export LC_ALL=zh_CN.UTF-8
$ echo ‘LANG="zh_CN.UTF-8"‘ > /etc/locale.conf

二、准备python3.6
$ yum -y install wget gcc epel-release git
$ yum -y install python36 python36-devel
$ cd /opt
$ python3.6 -m venv py3
$ source /opt/py3/bin/activate
$ cd /opt
$ git clone https://github.com/kennethreitz/autoenv.git
$ echo ‘source /opt/autoenv/activate.sh‘ >> ~/.bashrc
$ source ~/.bashrc
$ echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
$ echo "source /opt/py3/bin/activate" > /opt/coco/.env
三、安装jumpserver
$ cd /opt/jumpserver/requirements
$ yum -y install $(cat rpm_requirements.txt)
$ pip install --upgrade pip setuptools
$ pip install -r requirements.txt
$ cd /opt/jumpserver
$ cp config_example.py config.py
$ vi config.py
#加密秘钥 生产环境中请修改为随机字符串，请勿外泄
SECRET_KEY = ‘2vym+ky!997d5kkcc64mnz06y1mmui3lut#(^wd=%s_qj$1%x‘
#预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制
BOOTSTRAP_TOKEN = ‘nwv4RdXpM82LtSvmV‘
DEBUG = False
LOG_LEVEL = ‘ERROR‘
LOG_DIR = os.path.join(BASE_DIR, ‘logs‘)
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
DB_ENGINE = ‘mysql‘
DB_HOST = ‘127.0.0.1‘
DB_PORT = 3306
DB_USER = ‘jumpserver‘
DB_PASSWORD = ‘123456‘
DB_NAME = ‘jumpserver‘
HTTP_BIND_HOST = ‘0.0.0.0‘
HTTP_LISTEN_PORT = 8080
REDIS_HOST = ‘127.0.0.1‘
REDIS_PORT = 6379
#每行前面要对齐
四、安装redis
$ yum -y install redis
$ systemctl enable redis
$ systemctl start redis
五、安装mysql
yum -y install mysql mysql-server
mysql_secure_installation
$ mysql -uroot -p

create database jumpserver default charset ‘utf8‘;
grant all on jumpserver.* to ‘jumpserver‘@‘127.0.0.1‘ identified by ‘123456‘;
flush privileges;
quit

六、安装coco
$ cd /opt/coco/
$ cd requirements
$ yum -y install $(cat rpm_requirements.txt)
$ pip install -r requirements.txt
$ cd /opt/coco
$ mkdir keys logs
$ cp conf_example.py conf.py # 如果 coco 与 jumpserver 分开部署,请手动修改 conf.py
$ vi conf.py
#项目名称, 会用来向Jumpserver注册, 识别而已, 不能重复
NAME = "coco"
CORE_HOST = ‘http://127.0.0.1:8080‘
#Bootstrap Token, 预共享秘钥, 用来注册coco使用的service account和terminal
#请和jumpserver 配置文件中保持一致，注册完成后可以删除
BOOTSTRAP_TOKEN = "nwv4RdXpM82LtSvmV"
LOG_LEVEL = ‘ERROR‘
#每行前面要对齐
七、安装luna
$ cd /opt
$ wget https://github.com/jumpserver/luna/releases/download/1.4.6/luna.tar.gz
$ tar xf luna.tar.gz
$ chown -R root:root luna

八、安装guacamole
$ mkdir /usr/local/lib/freerdp/
$ ln -s /usr/local/lib/freerdp /usr/lib64/freerdp
$ rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
$ rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
$ yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm

$ yum install -y java-1.8.0-openjdk libtool
$ yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
$ yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript

$ cd /opt
$ git clone https://github.com/jumpserver/docker-guacamole.git
$ cd /opt/docker-guacamole/
$ tar -xf guacamole-server-0.9.14.tar.gz
$ cd guacamole-server-0.9.14
$ autoreconf -fi
$ ./configure --with-init-dir=/etc/init.d
$ make && make install
$ cd ..
$ rm -rf guacamole-server-0.9.14
$ ldconfig
$ export JUMPSERVER_SERVER=http://127.0.0.1:8080 # http://127.0.0.1:8080 指 jumpserver 访问地址
$ echo "export JUMPSERVER_SERVER=http://127.0.0.1:8080" >> ~/.bashrc

#BOOTSTRAP_TOKEN 为 Jumpserver/config.py 里面的 BOOTSTRAP_TOKEN
$ export BOOTSTRAP_TOKEN=nwv4RdXpM82LtSvmV
$ echo "export BOOTSTRAP_TOKEN=nwv4RdXpM82LtSvmV" >> ~/.bashrc
$ export JUMPSERVER_KEY_DIR=/config/guacamole/keys
$ echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
$ export GUACAMOLE_HOME=/config/guacamole
$ echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
$ /etc/init.d/guacd start

九、安装tomcat
$ mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions # 创建 guacamole 目录
$ ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar
$ ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties # guacamole 配置文件

$ cd /config
$ wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.35/bin/apache-tomcat-8.5.35.tar.gz
$ tar xf apache-tomcat-8.5.35.tar.gz
$ rm -rf apache-tomcat-8.5.35.tar.gz
$ mv apache-tomcat-8.5.35 tomcat8
$ rm -rf /config/tomcat8/webapps/*
$ ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war # guacamole client
$ sed -i ‘s/Connector port="8080"/Connector port="8081"/g‘ /config/tomcat8/conf/server.xml # 修改默认端口为 8081
$ sed -i ‘s/FINE/WARNING/g‘ /config/tomcat8/conf/logging.properties # 修改 log 等级为 WARNING

$ cd /config
$ wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz
$ tar xf linux-amd64.tar.gz -C /bin/
$ chmod +x /bin/ssh-forward

$ sh /config/tomcat8/bin/startup.sh

十、整合nginx
$ yum install nginx -y
$ rm -rf /etc/nginx/conf.d/default.conf
$ systemctl enable nginx
$ vi etc/nginx/nginx.conf
include /etc/nginx/conf.d/jumpserver.conf; #在}前加入这句
$ vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80; # 代理端口,以后将通过此端口进行访问,不再通过8080端口
#server_name demo.jumpserver.org; # 修改成你的域名或者注释掉

client_max_body_size 100m;  # 录像及文件上传大小限制

location /luna/ {
    try_files $uri / /index.html;
    alias /opt/luna/;  # luna 路径,如果修改安装目录,此处需要修改
}

location /media/ {
    add_header Content-Encoding gzip;
    root /opt/jumpserver/data/;  # 录像位置,如果修改安装目录,此处需要修改
}

location /static/ {
    root /opt/jumpserver/data/;  # 静态资源,如果修改安装目录,此处需要修改
}

location /socket.io/ {
    proxy_pass       http://localhost:5000/socket.io/;  # 如果coco安装在别的服务器,请填写它的ip
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;
}

location /coco/ {
    proxy_pass       http://localhost:5000/coco/;  # 如果coco安装在别的服务器,请填写它的ip
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;
}

location /guacamole/ {
    proxy_pass       http://localhost:8081/;  # 如果guacamole安装在别的服务器,请填写它的ip
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log off;
}

location / {
    proxy_pass http://localhost:8080;  # 如果jumpserver安装在别的服务器,请填写它的ip
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}
$ nginx -t
$ systemctl start nginx
$ systemctl enable nginx
或者which nginx
$ /usr/sbin/nginx

十一、启动所有服务

$ sh /config/tomcat8/bin/startup.sh
$ /etc/init.d/guacd start
$ cd /opt/jumpserver
$ ./jms start all -d
$ cd /opt/coco
$ ./cocod start -d

十二、web配置jumpserver

注意：
用xshell如何登陆jumpserver后台：
ssh [email protected] 2222

如何重新注册gualcd
$ /etc/init.d/guacd stop
$ sh /config/tomcat8/bin/shutdown.sh
$ rm -rf /config/guacamole/keys/*
$ /etc/init.d/guacd start
$ sh /config/tomcat8/bin/startup.sh

如何重新注册cocod
$ cd /opt/coco && ./cocod stop
$ rm /opt/coco/keys/.access_key # coco, 如果你是按文档安装的,key应该在这里,如果不存在key文件直接下一步
$ ./cocod start -d # 正常运行后到Jumpserver 会话管理-终端管理 里面接受coco注册

原文地址：http://blog.51cto.com/hzcto/2343760