JumpServer搭建
一键安装
准备一台 2核4G (最低)且可以访问互联网的 64 位 Linux 主机;
以 root 用户执行如下命令一键安装 JumpServer。
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.19.1/quick_start.sh | bash
jumpserver安装在内网机器,通过公有云部署nginx实现公网访问
官方参考文档
https://docs.jumpserver.org/zh/master/admin-guide/proxy/
步骤:
1.开启jumpserver支持nginx代理(不使用ssl安全认证)
vi /opt/jumpserver/config/config.txt
修改第六行内容
## Nginx 配置, USE_LB=1 表示开启, 为 0 的情况下, HTTPS_PORT 定义不生效
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
USE_LB=1 # 1 表示开启此选项
HTTPS_PORT=443 # 对外 https 端口2.修改nginx相关配置(jumpserver的配置文件)
vi /opt/jumpserver/config/nginx/lb_http_server.conf
upstream http_server {
ip_hash;
server web:80; # 这个是可以通过容器访问, 外部访问是 80端口
# server HOST2:80; # 另外的要写真实IP
}
#注释掉下边nginx 80端口转发到443端口
#server {
# listen 80;
# # listen [::]:80;
# server_name n1; # 取消注释并自行修改成你自己的域名
# return 301 https://$server_name$request_uri;
#}
server {
listen 80;
# listen [::]:443 ssl;#注释掉443端口和ssl验证
server_name n1; # 取消注释并自行修改成你自己的域名
#server_tokens off;
#ssl_certificate cert/server.crt; # 修改 server.crt 为你的证书, 不要改路径 certs/
#ssl_certificate_key cert/server.key; # 修改 server.key 为你的证书, 不要改路径 certs/
#ssl_session_timeout 1d;
#ssl_session_cache shared:MozSSL:10m;
#ssl_session_tickets off;
#ssl_protocols TLSv1.1 TLSv1.2;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!ECDHE-RSA-DES-CBC3-SHA;
#add_header Strict-Transport-Security "max-age=31536000" always;
#ssl_prefer_server_ciphers off;
client_max_body_size 5000m;
location / {
proxy_pass http://http_server;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 如果上层还有其他 slb 需要使用 $proxy_add_x_forwarded_for 获取真实 ip
proxy_ignore_client_abort on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 6000;
}
}3.在公有云机器上部署nginx
安装过程略。。
修改nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm;
}
}
server {
listen 50443 ssl;
server_name springrain.vip; # 自行修改成你自己的域名
server_tokens off;
ssl_certificate cert/7316230_springrain.vip.pem;
ssl_certificate_key cert/7316230_springrain.vip.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 5000m; # 上传文件大小限制 server_name springrain.vip;
location / {
# 这里的 ip 是后端 JumpServer nginx 的 ip
proxy_pass http://jmsn1.com;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
sbin/nginx -s reload
JumpServer搭建
https://www.hechunyu.com/archives/1698116943059