CentOS 7系统下使用外部MYSQL 8.0数据库部署Jumpserver堡垒机并配置SSL和LDAP

这里部署的堡垒机使用的是MYSQL 8.0外部数据库，IP地址为10.11.1.8

1、创建数据库

连接到mysql数据库，并创建jumpserver数据库

[root@mysql ~]# mysql -uroot -p
Enter password:
create database jumpserver default charset 'utf8';
create user 'jumpserver'@'%' identified with 'mysql_native_password' by 'xxxxx';
grant all on jumpserver.* to 'jumpserver'@'%';
flush privileges;

2、安装jumpserver

使用SSH工具连接到Jumpserver服务器，开始部署JumpServer，这里安装的是目前的最新版本

cd /opt
wget https://github.com/jumpserver/installer/releases/download/v2.16.3/jumpserver-installer-v2.16.3.tar.gz
tar -xf jumpserver-installer-v2.16.3.tar.gz
cd jumpserver-installer-v2.16.3
./jmsctl.sh install

一下是部分输出，我截截取除了一些需要交互的地方进行说明：


       ██╗██╗   ██╗███╗   ███╗██████╗ ███████╗███████╗██████╗ ██╗   ██╗███████╗██████╗
       ██║██║   ██║████╗ ████║██╔══██╗██╔════╝██╔════╝██╔══██╗██║   ██║██╔════╝██╔══██╗
       ██║██║   ██║██╔████╔██║██████╔╝███████╗█████╗  ██████╔╝██║   ██║█████╗  ██████╔╝
  ██   ██║██║   ██║██║╚██╔╝██║██╔═══╝ ╚════██║██╔══╝  ██╔══██╗╚██╗ ██╔╝██╔══╝  ██╔══██╗
  ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ███████║███████╗██║  ██║ ╚████╔╝ ███████╗██║  ██║
   ╚════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚══════╝╚══════╝╚═╝  ╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

                                                                   Version:  v2.16.3

1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/config.txt  [ √ ]
/opt/jumpserver/config/nginx/cert/server.crt   [ √ ]
/opt/jumpserver/config/nginx/cert/server.key   [ √ ]
complete

2. Backup Configuration File
Back up to /opt/jumpserver/config/backup/config.txt.2021-12-13_10-02-42
complete

>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
Starting to download Docker Compose binary ...
complete

2. Configure Docker
Do you need custom docker root dir, will use the default directory /var/lib/docker? (y/n)  (default n):  直接回车
complete

3. Start Docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /etc/systemd/system/docker.service.
complete

>>> Loading Docker Image
此处会自动下载所需的Docker镜像

下面开始配置网络和数据库的，请看注释：

>>> Install and Configure JumpServer
1. Configure Network
Do you want to support IPv6? (y/n)  (default n): 不支持IPV6就直接回车即可
complete

2. Configure Private Key
SECRETE_KEY:     MmIzYTFmNDItYjk1Zi0yODY0LWU2N2UtMDdmMTU0NTg1NTg0
BOOTSTRAP_TOKEN: MmIzYTFmNDItYjk1Zi0yODY0
complete

3. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /opt/jumpserver? (y/n)  (default n): 直接回车
complete

4. Configure MySQL 配置外部数据库
Do you want to use external MySQL? (y/n)  (default n): y
Please enter MySQL server IP (default mysql): 10.11.1.8
Please enter MySQL server port (default 3306):
Please enter MySQL database name (default jumpserver): jumpserver
Please enter MySQL username (default root): jumpserver
Please enter MySQL password (no default): h#J8#@rr84J4BThauT
complete

5. Configure Redis 是否配置外部Redis，这里直接使用的内置Redis
Do you want to use external Redis? (y/n)  (default n):
complete

6. Configure External Port 是否需要自定义外部端口，选择否
Do you need to customize the JumpServer external port? (y/n)  (default n):
complete

7. Init JumpServer Database
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
Creating jms_core  ... done
2021-12-13 11:00:10 Collect static files
2021-12-13 11:00:10 Collect static files done
2021-12-13 11:00:10 Check database structure change ...
2021-12-13 11:00:10 Migrate model change to database ...

安装完成后，会给出管理命令和访问地址，如下所示：

>>> The Installation is Complete
1. You can use the following command to start, and then visit
cd /opt/jumpserver-installer-v2.16.3
./jmsctl.sh start

2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand

3. Web access
http://10.11.1.14:80
Default username: admin  Default password: admin

4. SSH/SFTP access
ssh -p2222 admin@10.11.1.14
sftp -P2222 admin@10.11.1.14

5. More information
Official Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/

[root@jumpserver jumpserver-installer-v2.16.3]# ./jmsctl.sh start
#使用命令启动jumpserver

2、开放防火墙端口

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

3、集成LDAP

使用管理员账号登录后台，点击“系统设置”→“LDAP设置”，填入如下信息：

字段	值
LDAP地址	ldap://10.11.10.1:389
绑定DN	Administrator@opscn.cn
密码	域管理员密码

用户OU\ou=inboc,dc=inboc,dc=net
用户过滤器|(sAMAccountName=%(user)s)
LDAP属性映射|{“username”:“sAMAccountName”,“name”:“cn”,“email”:“mail”}
启用LDAP认证|勾选

4、配置ssl

1）上传证书

cd /opt/jumpserver/config/nginx/cert/
#将证书文件上传至该目录下

2）开启SSL端口

vim  /opt/jumpserver/config/config.txt
USE_LB=1
#Nginx 配置, USE_LB=1 表示开启, 为 0 的情况下, HTTPS_PORT 定义不生效

3）修改Nginx配置文件

vim /opt/jumpserver/config/nginx/lb_http_server.conf

upstream http_server {
  ip_hash;
  server web:80;  # 这个是可以通过容器访问, 外部访问是 80端口
  # server HOST2:80;  # 另外的要写真实IP
}

server {
  listen 80;
  server_name jumpserver.opscn.cn;  # 取消注释并自行修改成你自己的域名
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name jumpserver.opscn.cn;      # 取消注释并自行修改成你自己的域名
  server_tokens off;
  ssl_certificate cert/server.crt ;        # 修改 server.crt 为你的证书, 不要改路径 certs/
  ssl_certificate_key cert/server.key;    # 修改 server.key 为你的证书, 不要改路径 certs/
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!DES:!ECDHE-RSA-DES-CBC3-SHA;
  add_header Strict-Transport-Security "max-age=31536000" always;
  ssl_prefer_server_ciphers off;

  client_max_body_size 5000m;

  location / {
    proxy_pass http://http_server;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_ignore_client_abort on;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 6000;
  }
}

4）重新启动jumpserver

cd /opt/jumpserver-installer-v2.16.3
./jmsctl.sh restart

5）对使用的域名最好解析，然后在浏览器进行访问即可；