JumpServer 是一款开源的堡垒机系统,用于公司内部服务器的安全访问管理。它提供了跳板机、SSH 等多种服务的管理和控制,并具备审计、鉴权、日志记录等功能,可以有效加强服务器的安全性。
下载文件
下载docker-compose.yml docker-compose-init-db.yml docker-compose-network.yml 到服务器的jms目录,路径随意。 修改docker-compose.yml文件名为docker-compose-jms.yml
获取KEY和TOKEN
新建文件token.sh,文件内容如下
#/bin/sh
if [ ! "$SECRET_KEY" ]; then
SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo $SECRET_KEY;
else
echo $SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOKEN" ]; then
BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
echo $BOOTSTRAP_TOKEN;
else
echo $BOOTSTRAP_TOKEN;
fi执行该脚本文件拿到KEY和TOKEN
配置文件
新增文件.env
# 版本号可以自己根据项目的版本修改
VERSION=v3.7.2
# 构建参数, 支持 amd64/arm64/loong64
TARGETARCH=amd64
DOMAINS=xxx.xxx.com
# Compose
COMPOSE_PROJECT_NAME=jms
# COMPOSE_HTTP_TIMEOUT=3600
# DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168.250.0/24
# 持久化存储
VOLUME_DIR=/data/jumpserver
# MySQL, 修改为你的外置 **数据库** 地址
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=数据库密码
DB_NAME=jumpserver
# Redis, 修改为你的外置 **Redis** 地址
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=REDIS密码
# Core, 修改 SECRET_KEY 和 BOOTSTRAP_TOKEN
SECRET_KEY=脚本执行获取的KEY
BOOTSTRAP_TOKEN=脚本执行获取的TOKEN
DEBUG=FALSE
LOG_LEVEL=ERROR
# Web
HTTP_PORT=443
SSH_PORT=2222
MAGNUS_MYSQL_PORT=33061
MAGNUS_MARIADB_PORT=33062
MAGNUS_REDIS_PORT=63790
# Xpack
RDP_PORT=3389
MAGNUS_POSTGRESQL_PORT=54320
MAGNUS_ORACLE_PORTS=30000-30010
##
# SECRET_KEY 保护签名数据的密匙, 首次安装请一定要修改并牢记, 后续升级和迁移不可更改, 否则将导致加密的数据不可解密。
# BOOTSTRAP_TOKEN 为组件认证使用的密钥, 仅组件注册时使用。组件指 koko、lion、magnus 等。MYSQL REDIS部署
新建文件docker-compose.yml
version: '3.1'
services:
mysql:
image: mysql
container_name: mysql
volumes:
- /data/mysql/data:/var/lib/mysql
- /data/mysql/mysql.cnf:/etc/my.cnf
environment:
MYSQL_ROOT_PASSWORD: 数据库ROOT密码
MYSQL_DATABASE: $DB_NAME
MYSQL_USER: $DB_USER
MYSQL_PASSWORD: $DB_PASSWORD
restart: always
ports:
- "3306:3306"
networks:
- net
redis:
image: redis:7.0.4
restart: always
container_name: redis
ports:
- 6379:6379
environment:
- TZ=Asia/Shanghai
volumes:
- /data/redis/data:/data/data
- /data/redis/conf:/usr/local/etc/redis
- /data/redis/logs:/data/logs
command: ["redis-server","/usr/local/etc/redis/redis.conf"]
networks:
- net数据库和REDIS配置文件请参考之前文章。 启动
docker-compose -f docker-compose-network.yml -f docker-compose.yml up -d初始化数据库
docker-compose -f docker-compose-network.yml -f docker-compose-init-db.yml up -d配置dumpserver
修改docker-compose-jms.yml最后一个web服务配置如下
web:
image: jumpserver/web:${VERSION}
container_name: jms_web
restart: always
tty: true
depends_on:
core:
condition: service_healthy
healthcheck:
test: "curl -fsL http://localhost/ > /dev/null"
interval: 10s
timeout: 5s
retries: 3
start_period: 10s
volumes:
- ${VOLUME_DIR}/core/data:/opt/jumpserver/data
- ${VOLUME_DIR}/nginx/data/logs:/var/log/nginx
- ${VOLUME_DIR}/nginx/conf.d:/etc/nginx/conf.d
- ${VOLUME_DIR}/nginx/cert:/etc/nginx/cert/
ports:
- ${HTTP_PORT:-443}:${HTTP_PORT:-443}
networks:
- net在${VOLUME_DIR}/nginx/conf.d 文件夹新增nginx配置文件default.conf
server {
listen 443;
server_name xxx.xxx.com;
access_log /var/log/nginx/xxx.access.log main;
error_log /var/log/nginx/xxx.error.log notice;
ssl on;
ssl_certificate /etc/nginx/cert/xxx.xxx.com_bundle.crt;
ssl_certificate_key /etc/nginx/cert/xxx.xxx.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
client_max_body_size 5000m;
location /player/ {
try_files $uri / /;
alias /opt/player/;
}
location /ui/ {
try_files $uri / /;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /;
alias /opt/luna/;
}
location /download/ {
alias /opt/download/;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
include includes/*.conf;
}启动
docker-compose -f docker-compose-network.yml -f docker-compose-jms.yml up -d在浏览器打开并登录,默认账号密码为admin/admin
客户端
下载地址:https://xxx.xxx.com/core/download/ 选择适合你的操作系统版本。 安装并打开客户端,选择SecureCRT为默认客户端 
在jumpserver开启双因子验证 
SecureCRT新建SESSION开启双因子验证 
登录堡垒机效果如下 
评论