官方文档地址:https://docs.jumpserver.org/zh/master/install/step_by_step/
Jumpserver 对外需要开放 80 和 2222 端口,如果你配置了 ssl 还需要开放 443 端口, 8080 端口开放给 koko 和 guacamole 组件访问
安全组放行端口:80,443,2222
- 安装依赖报错的坑
在文档中的5. 安装编译环境依赖这一步,安装依赖时有可能会报错,有些依赖包安装不了
解决办法:yum -y install python36-devel
因为当初在安装python3环境的时候,使用的是如下的安装方式:yum -y install python36,安装的是3.6.8的版本。
为了避免出现安装依赖报错的问题,可以直接这样做:
yum -y install python36 python36-devel
- 使用docker方式安装KoKo 组件和Guacamole 组件,在web界面里的会话管理-终端管理中不显示的问题
这是因为在config.yml文件中配置的监听地址HTTP_BIND_HOST是127.0.0.1,同时呢,使用docker安装这俩组件时配置的CORE_HOST地址也是127.0.0.1,才导致这俩组件无法注册的
解决办法:
1.先停止jms,然后修改config.yml文件中配置的监听地址HTTP_BIND_HOST填写0.0.0.0 (或者填写私网ip),然后再启动 (地址绝不能是127.0.0.1)
2.在docker管理中停止并删除这俩组件,然后修改docker安装这俩组件时配置的CORE_HOST地址填写公网IP或私网IP,然后再启动 (地址绝不能是127.0.0.1)
地址对应关系如下
- nginx代理访问
注意:使用的端口号根据自己的实际情况来定
vim /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name demo.jumpserver.org; # 自行修改成你的域名
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
nginx ssl访问
server {
listen 80;
server_name demo.jumpserver.org; # 自行修改成你的域名
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name demo.jumpserver.org; # 自行修改成你的域名
ssl_certificate /etc/nginx/sslkey/1_jumpserver.org_bundle.crt; # 自行设置证书
ssl_certificate_key /etc/nginx/sslkey/2_jumpserver.org.key; # 自行设置证书
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # 自行替换成你证书支持的加密套件
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 支持的协议
ssl_prefer_server_ciphers on;
client_max_body_size 100m; # 录像及文件上传大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /api/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080;
}
location /core/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}