總體介紹:
Jumpserver是全球首款完全開源的堡壘機,使用GNU GPL v2.0開源協議,是符合4A的專業運維審計系統;
Jumpserver使用Python/Django進行開發,遵循Web 2.0規范,配備了業界領先的Web Terminal解決方案,交互界面美觀、用戶體驗好;
Jumpserver采納分布式架構,支持多機房跨區域部署,中心節點提高API,個機房部署登錄節點,可橫向擴展、無並發訪問限制;
Jumpserver現已支持管理SSH、Telnet、RDP、VNC協議資產。
特色優勢:
- 開源:零門檻,線上快速獲取和安裝;
- 分布式:輕松支持大規模並發訪問;
- 無插件:僅需瀏覽器,極致的Web Terminal 使用體驗;
- 多雲支持:一套系統,同時管理不同雲上面的資產;
- 雲端存儲:審計錄像雲端存儲,永不丟失;
- 多租戶:一套系統,多個子公司和部門同時使用。
功能列表:
| 身份認證 Authentication |
登錄認證 | 資源統一登錄與認證 |
| LDAP/AD 認證 | ||
| RADIUS 認證 | ||
| OpenID 認證(實現單點登錄) | ||
| CAS 認證 (實現單點登錄) | ||
| MFA認證 | MFA 二次認證(Google Authenticator) | |
| RADIUS 二次認證 | ||
| 登錄復核(X-PACK) | 用戶登錄行為受管理員的監管與控制 | |
| 賬號管理 Account |
集中賬號 | 管理用戶管理 |
| 系統用戶管理 | ||
| 統一密碼 | 資產密碼托管 | |
| 自動生成密碼 | ||
| 自動推送密碼 | ||
| 密碼過期設置 | ||
| 批量改密(X-PACK) | 定期批量改密 | |
| 多種密碼策略 | ||
| 多雲納管(X-PACK) | 對私有雲、公有雲資產自動統一納管 | |
| 收集用戶(X-PACK) | 自定義任務定期收集主機用戶 | |
| 密碼匣子(X-PACK) | 統一對資產主機的用戶密碼進行查看、更新、測試操作 | |
| 授權控制 Authorization |
多維授權 | 對用戶、用戶組、資產、資產節點、應用以及系統用戶進行授權 |
| 資產授權 | 資產以樹狀結構進行展示 | |
| 資產和節點均可靈活授權 | ||
| 節點內資產自動繼承授權 | ||
| 子節點自動繼承父節點授權 | ||
| 應用授權 | 實現更細粒度的應用級授權 | |
| MySQL 數據庫應用、RemoteApp 遠程應用(X-PACK) | ||
| 動作授權 | 實現對授權資產的文件上傳、下載以及連接動作的控制 | |
| 時間授權 | 實現對授權資源使用時間段的限制 | |
| 特權指令 | 實現對特權指令的使用(支持黑白名單) | |
| 命令過濾 | 實現對授權系統用戶所執行的命令進行控制 | |
| 文件傳輸 | SFTP 文件上傳/下載 | |
| 文件管理 | 實現 Web SFTP 文件管理 | |
| 工單管理(X-PACK) | 支持對用戶登錄請求行為進行控制 | |
| 組織管理(X-PACK) | 實現多租戶管理與權限隔離 | |
| 安全審計 Audit |
操作審計 | 用戶操作行為審計 |
| 會話審計 | 在線會話內容審計 | |
| 歷史會話內容審計 | ||
| 錄像審計 | 支持對 Linux、Windows 等資產操作的錄像進行回放審計 | |
| 支持對 RemoteApp(X-PACK)、MySQL 等應用操作的錄像進行回放審計 | ||
| 指令審計 | 支持對資產和應用等操作的命令進行審計 | |
| 文件傳輸 | 可對文件的上傳、下載記錄進行審計 |
安裝環境准備:
1、jumpserver運行環境:
硬件配置:2C4G,50GSSD(最低)
操作系統centos 7.6
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
2、關閉防火牆與selinux
[root@jumpserver centos]# systemctl stop firewalld [root@jumpserver centos]# systemctl disable firewalld [root@jumpserver centos]# setenforce 0
3、准備Python3和Python虛擬環境
最新的jumpserver環境依賴於Python3
安裝依賴包:
[root@jumpserver centos]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel opel-release git # 下載python3 編譯 安裝 [root@jumpserver centos]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz [root@jumpserver centos]# tar xf Python-3.6.1.tar.xz && cd Python-3.6.1 [root@jumpserver centos]# ./configure && make && make install
建立Python虛擬環境:
CentOS 7 自帶的是python2,而yum等工具依賴原來單獨python,為了不擾亂原來等環境我們來使用Python虛擬環境
[root@jumpserver ~]# cd /opt/ [root@jumpserver opt]# python3 -m venv py3 [root@jumpserver opt]# source /opt/py3/bin/activate # 看到下面的提示符代表成功,以后運行jumpserver都要先運行以上source命令,以下所有命令均在虛擬環境中運行 (py3) [root@jumpserver opt]#
自動載入python虛擬環境配置,此項僅為懶癌晚期的人員使用,防止運行Jumpserver時忘記載入Python虛擬環境導致程序無法運行。使用autoenv
(py3) [root@jumpserver opt]# git clone git://github.com/kennethreitz/autoenv.git (py3) [root@jumpserver opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc (py3) [root@jumpserver opt]# source ~/.bashrc
安裝Jumpserver
下載或clone項目
下載:
(py3) [root@jumpserver opt]# wget -O jumpserver.tar.gz https://github.com/jumpserver/jumpserver/archive/2.0.1.tar.gz (py3) [root@jumpserver opt]# tar xf jumpserver.tar.gz (py3) [root@jumpserver opt]# mv jumpserver-2.0.1 jumpserver
clone項目:
(py3) [root@jumpserver opt]# git clone https://github.com/jumpserver/jumpserver.git && cd jumpserver (py3) [root@jumpserver jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env #進入jumpserver目錄時將自動載入python虛擬環境
安裝編譯環境依賴:
(py3) [root@jumpserver jumpserver]# cd requirements/ # 首次進入 jumpserver 文件夾會有提示,按 y 即可 Are you sure you want to allow this? (y/N) y # 安裝 依賴RPM包 (py3) [root@jumpserver requirements]# yum -y install $(cat rpm_requirements.txt) # 安裝Python庫依賴 (py3) [root@jumpserver requirements]# pip install -r requirements.txt
安裝Redis,Jumpserver使用Redis做cache和celery broke
(py3) [root@jumpserver requirements]# yum -y install redis (py3) [root@jumpserver requirements]# systemctl enable redis Created symlink from /etc/systemd/system/multi-user.target.wants/redis.service to /usr/lib/systemd/system/redis.service. (py3) [root@jumpserver requirements]# systemctl start redis
安裝Mysql:
(py3) [root@jumpserver requirements]# yum -y install mariadb mariadb-devel mariadb-server (py3) [root@jumpserver requirements]# systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service. (py3) [root@jumpserver requirements]# systemctl start mariadb
創建數據庫Jumpserver並授權:
(py3) [root@jumpserver requirements]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 70762 Server version: 5.5.65-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database jumpserver default charset 'utf8'; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'%' identified by 'somepassword'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec)
修改Jumpserver配置文件:
(py3) [root@jumpserver jumpserver]# cp config_example.yml config.yml (py3) [root@jumpserver jumpserver]# vim config.yml
# SECURITY WARNING: keep the secret key used in production secret! # 加密秘鑰 生產環境中請修改為隨機字符串,請勿外泄, 可使用命令生成 # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo SECRET_KEY: W5Ic3fMXNZ0p5RIy5DhJYJllppTfcfkW8Yuf94VBMfpcssbfu # SECURITY WARNING: keep the bootstrap token used in production secret! # 預共享Token coco和guacamole用來注冊服務賬號,不在使用原來的注冊接受機制 BOOTSTRAP_TOKEN: 123qweasdzxc # Development env open this, when error occur display the full process track, Production disable it # DEBUG 模式 開啟DEBUG后遇到錯誤時可以看到更多日志 DEBUG: false # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/ # 日志級別 LOG_LEVEL: ERROR # LOG_DIR: # Session expiration setting, Default 24 hour, Also set expired on on browser close # 瀏覽器Session過期時間,默認24小時, 也可以設置瀏覽器關閉則過期 # SESSION_COOKIE_AGE: 86400 SESSION_EXPIRE_AT_BROWSER_CLOSE: true # Database setting, Support sqlite3, mysql, postgres .... # 數據庫設置 # See https://docs.djangoproject.com/en/1.10/ref/settings/#databases # SQLite setting: # 使用單文件sqlite數據庫 # DB_ENGINE: sqlite3 # DB_NAME: # MySQL or postgres setting like: # 使用Mysql作為數據庫 DB_ENGINE: mysql DB_HOST: 127.0.0.1 DB_PORT: 3306 DB_USER: jumpserver DB_PASSWORD: rBi41SrDqlX4zsx9e1L0cqTP DB_NAME: jumpserver # When Django start it will bind this host and port # ./manage.py runserver 127.0.0.1:8080 # 運行時綁定端口 HTTP_BIND_HOST: 0.0.0.0 HTTP_LISTEN_PORT: 8080 WS_LISTEN_PORT: 8070 # Use Redis as broker for celery and web socket # Redis配置 REDIS_HOST: 127.0.0.1 REDIS_PORT: 6379 REDIS_PASSWORD: ZhYnLrodpmPncovxJTnRyiBs # REDIS_DB_CELERY: 3 # REDIS_DB_CACHE: 4 # Use OpenID authorization # 使用OpenID 來進行認證設置 # BASE_SITE_URL: http://localhost:8080 # AUTH_OPENID: false # True or False # AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/ # AUTH_OPENID_REALM_NAME: realm-name # AUTH_OPENID_CLIENT_ID: client-id # AUTH_OPENID_CLIENT_SECRET: client-secret # AUTH_OPENID_IGNORE_SSL_VERIFICATION: True # AUTH_OPENID_SHARE_SESSION: True # Use Radius authorization # 使用Radius來認證 # AUTH_RADIUS: false # RADIUS_SERVER: localhost # RADIUS_PORT: 1812 # RADIUS_SECRET: # CAS 配置 # AUTH_CAS': False, # CAS_SERVER_URL': "http://host/cas/", # CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port', # CAS_LOGOUT_COMPLETELY': True, # CAS_VERSION': 3, # LDAP/AD settings # LDAP 搜索分頁數量 # AUTH_LDAP_SEARCH_PAGED_SIZE: 1000 # # 定時同步用戶 # 啟用 / 禁用 # AUTH_LDAP_SYNC_IS_PERIODIC: True # 同步間隔 (單位: 時) (優先) # AUTH_LDAP_SYNC_INTERVAL: 12 # Crontab 表達式 # AUTH_LDAP_SYNC_CRONTAB: * 6 * * * # # LDAP 用戶登錄時僅允許在用戶列表中的用戶執行 LDAP Server 認證 # AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False # # LDAP 認證時如果日志中出現以下信息將參數設置為 0 (詳情參見:https://www.python-ldap.org/en/latest/faq.html) # In order to perform this operation a successful bind must be completed on the connection # AUTH_LDAP_OPTIONS_OPT_REFERRALS: -1 # OTP settings # OTP/MFA 配置 # OTP_VALID_WINDOW: 0 # OTP_ISSUER_NAME: Jumpserver # Perm show single asset to ungrouped node # 是否把未授權節點資產放入到 未分組 節點中 # PERM_SINGLE_ASSET_TO_UNGROUP_NODE: false # # 啟用定時任務 # PERIOD_TASK_ENABLE: True # # 啟用二次復合認證配置 # LOGIN_CONFIRM_ENABLE: False # # Windows 登錄跳過手動輸入密碼 WINDOWS_SKIP_ALL_MANUAL_PASSWORD: True # Default using Config settings, you can write if/else for different env class DevelopmentConfig(Config): DEBUG = True DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver'config = DevelopmentConfig() # 增加上面的內容(一定要添加class這段,不然數據庫初始化數據的時候會報錯)
生成數據庫表結構和初始化數據:
(py3) [root@jumpserver jumpserver]# cd /opt/jumpserver/utils (py3) [root@jumpserver utils]# bash make_migrations.sh 2018-05-09 13:51:48 [signals_handler DEBUG] Receive django ready signal 2018-05-09 13:51:48 [signals_handler DEBUG] - fresh all settings Migrations for 'assets': /opt/jumpserver/apps/assets/migrations/0002_auto_20180509_1351.py --------------------中間省略 Running migrations: Applying assets.0001_initial... OK Applying assets.0002_auto_20180509_1351... OK Applying audits.0001_initial... OK Applying contenttypes.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0001_initial... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying captcha.0001_initial... OK Applying common.0001_initial... OK Applying django_celery_beat.0001_initial... OK Applying django_celery_beat.0002_auto_20161118_0346... OK Applying django_celery_beat.0003_auto_20161209_0049... OK Applying django_celery_beat.0004_auto_20170221_0000... OK Applying django_celery_beat.0005_add_solarschedule_events_choices... OK Applying django_celery_beat.0006_auto_20180210_1226... OK Applying ops.0001_initial... OK Applying ops.0002_celerytask... OK Applying users.0001_initial... OK Applying users.0002_auto_20171225_1157... OK Applying users.0003_auto_20180509_1351... OK Applying perms.0001_initial... OK Applying perms.0002_auto_20180509_1351... OK Applying sessions.0001_initial... OK Applying terminal.0001_initial... OK Applying terminal.0002_auto_20180509_1351... OK
運行Jumpserver:
(py3) [root@jumpserver jumpserver]# ./jms start -d # 新版本更新了運行腳本。使用方式 ./jms start|stop|status|restart all -d 后台運行
部署KoKo組件
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/koko/releases/download/2.0.1/koko-master-linux-amd64.tar.gz (py3) [root@jumpserver opt]# tar -xf koko-master-linux-amd64.tar.gz (py3) [root@jumpserver opt]# chown -R root:root kokodir (py3) [root@jumpserver opt]# cd kokodir (py3) [root@jumpserver opt]# cp config_example.yml config.yml (py3) [root@jumpserver opt]# vi config.yml # BOOTSTRAP_TOKEN 需要從 jumpserver/config.yml 里面獲取, 保證一致
# 項目名稱, 會用來向Jumpserver注冊, 識別而已, 不能重復
# NAME: {{ Hostname }}
NAME: koko
# Jumpserver項目的url, api請求注冊會使用
CORE_HOST: http://127.0.0.1:8080
# Bootstrap Token, 預共享秘鑰, 用來注冊coco使用的service account和terminal
# 請和jumpserver 配置文件中保持一致,注冊完成后可以刪除
BOOTSTRAP_TOKEN: 123qweasdzxc
# 啟動時綁定的ip, 默認 0.0.0.0
# BIND_HOST: 0.0.0.0
# 監聽的SSH端口號, 默認2222
# SSHD_PORT: 2222
# 監聽的HTTP/WS端口號,默認5000
HTTPD_PORT: 5000
# 項目使用的ACCESS KEY, 默認會注冊,並保存到 ACCESS_KEY_STORE中,
# 如果有需求, 可以寫到配置文件中, 格式 access_key_id:access_key_secret
ACCESS_KEY: none
# ACCESS KEY 保存的地址, 默認注冊后會保存到該文件中
# ACCESS_KEY_FILE: data/keys/.access_key
# 設置日志級別 [DEBUG, INFO, WARN, ERROR, FATAL, CRITICAL]
# LOG_LEVEL: INFO
LOG_LEVEL: ERROR
# SSH連接超時時間 (default 15 seconds)
# SSH_TIMEOUT: 15
# 語言 [en,zh]
# LANG: zh
# SFTP的根目錄, 可選 /tmp, Home其他自定義目錄
# SFTP_ROOT: /tmp
# SFTP是否顯示隱藏文件
# SFTP_SHOW_HIDDEN_FILE: false
# 是否復用和用戶后端資產已建立的連接(用戶不會復用其他用戶的連接)
# REUSE_CONNECTION: true
# 資產加載策略, 可根據資產規模自行調整. 默認異步加載資產, 異步搜索分頁; 如果為all, 則資產全部加載, 本地搜索分頁.
# ASSET_LOAD_POLICY:
# zip壓縮的最大額度 (單位: M)
# ZIP_MAX_SIZE: 1024M
# zip壓縮存放的臨時目錄 /tmp
# ZIP_TMP_PATH: /tmp
# 向 SSH Client 連接發送心跳的時間間隔 (單位: 秒),默認為30, 0則表示不發送
# CLIENT_ALIVE_INTERVAL: 30
# 向資產發送心跳包的重試次數,默認為3
# RETRY_ALIVE_COUNT_MAX: 3
# 會話共享使用的類型 [local, redis], 默認local
# SHARE_ROOM_TYPE: local
SHARE_ROOM_TYPE: redis
# Redis配置
REDIS_HOST: 127.0.0.1
REDIS_PORT: 6379
REDIS_PASSWORD:
# REDIS_CLUSTERS:
REDIS_DB_ROOM:6
運行koko
(py3) [root@jumpserver kokodir]# ./koko -d (-d參數在后台運行)
部署Guacamole組件
(py3) [root@jumpserver opt]# wget -O /opt/guacamole.tar.gz https://github.com/jumpserver/docker-guacamole/archive/2.0.2.tar.gz (py3) [root@jumpserver opt]# tar -xf guacamole.tar.gz (py3) [root@jumpserver opt]# mv docker-guacamole-2.0.2 guacamole (py3) [root@jumpserver opt]# cd guacamole (py3) [root@jumpserver guacamole]# tar -xf guacamole-server-1.2.0.tar.gz (py3) [root@jumpserver guacamole]# tar -xf ssh-forward.tar.gz -C /bin/ (py3) [root@jumpserver guacamole]# chmod +x /bin/ssh-forward (py3) [root@jumpserver guacamole]# cd guacamole-server-1.0.0 (py3) [root@jumpserver guacamole-server-1.0.0]# ./configure --with-init-dir=/etc/init.d (py3) [root@jumpserver guacamole-server-1.0.0]# make && make install # 在當前環境配置Java (py3) [root@jumpserver guacamole-server-1.0.0]# yum install -y java-1.8.0-openjdk (py3) [root@jumpserver ~]# mkdir -p /config/guacamole /config/guacamole/extensions /config/guacamole/record /config/guacamole/drive (py3) [root@jumpserver ~]# chown daemon:daemon /config/guacamole/record /config/guacamole/drive (py3) [root@jumpserver ~]# cd /config (py3) [root@jumpserver config]# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.36/bin/apache-tomcat-9.0.36.tar.gz (py3) [root@jumpserver config]# tar -xf apache-tomcat-9.0.36.tar.gz (py3) [root@jumpserver config]# mv apache-tomcat-9.0.36 tomcat9 (py3) [root@jumpserver config]# rm -rf /config/tomcat9/webapps/* (py3) [root@jumpserver config]# sed -i 's/Connector port="8080"/Connector port="8081"/g' /config/tomcat9/conf/server.xml (py3) [root@jumpserver config]# echo "java.util.logging.ConsoleHandler.encoding = UTF-8" >> /config/tomcat9/conf/logging.properties (py3) [root@jumpserver config]# ln -sf /opt/guacamole/guacamole-1.0.0.war /config/tomcat9/webapps/ROOT.war (py3) [root@jumpserver config]# ln -sf /opt/guacamole/guacamole-auth-jumpserver-1.0.0.jar /config/guacamole/extensions/guacamole-auth-jumpserver-1.0.0.jar (py3) [root@jumpserver config]# ln -sf /opt/guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties
設置Guacamole環境:
(py3) [root@jumpserver ~]# vim ~/.bashrc # 在末尾添加下面幾行 export JUMPSERVER_SERVER=http://127.0.0.1:8080 export BOOTSTRAP_TOKEN=123qweasdzxc export JUMPSERVER_KEY_DIR=/config/guacamole/keys export GUACAMOLE_HOME=/config/guacamole export GUACAMOLE_LOG_LEVEL=ERROR export JUMPSERVER_ENABLE_DRIVE=true
啟動Guacamole:
(py3) [root@jumpserver ~]# /etc/init.d/guacd start (py3) [root@jumpserver ~]# sh /config/tomcat9/bin/startup.sh
下載Lina組件
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/lina/releases/download/2.0.1/lina.tar.gz (py3) [root@jumpserver opt]# tar -xf lina.tar.gz (py3) [root@jumpserver opt]# chown -R root:root lina
下載Luna組件
(py3) [root@jumpserver opt]# wget https://github.com/jumpserver/luna/releases/download/2.0.1/luna.tar.gz (py3) [root@jumpserver opt]# tar -xf luna.tar.gz (py3) [root@jumpserver opt]# chown -R nginx:nginx luna
配置Nginx整合各組件:
# yum 安裝nginx (py3) [root@jumpserver ~]# yum -y install nginx # 添加jumpserver配置文件 (py3) [root@jumpserver ~]# cd /etc/nginx (py3) [root@jumpserver ~]# mkdir vhost (py3) [root@jumpserver ~]# vim nginx.conf #添加 include include /etc/nginx/vhost/*.conf; (py3) [root@jumpserver ~]# vim /etc/nginx/vhost/jumpserver.conf
server {
listen 80;
server_name jumpserver.xxx.com;
root /opt/lina;
index index.html;
access_log /var/log/nginx/jumpserver-access.log main;
error_log /var/log/nginx/jumpserver-error.log error;
client_max_body_size 100m; # 錄像及文件上傳大小限制
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路徑, 如果修改安裝目錄, 此處需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 錄像位置, 如果修改安裝目錄, 此處需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 靜態資源, 如果修改安裝目錄, 此處需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
啟動nginx:
(py3) [root@jumpserver vhost]# nginx -t (py3) [root@jumpserver vhost]# systemctl enable nginx (py3) [root@jumpserver vhost]# systemctl start nginx
開始使用Jumpserver
瀏覽器訪問 http://jumpserver.xxx.com/ 默認賬號:admin 密碼:admin