分布式部署文档 - nginx 代理部署

说明

  • 开头的行表示注释

  • $ 开头的行表示需要执行的命令

环境

  • 系统: CentOS 7
  • IP: 192.168.100.100
    ProtocolServerNameIPPortUsed By
    TCPNginx192.168.100.10080, 443, 2222All
    TCPNginx192.168.100.1003306Jumpserver

开始安装

  1. # 升级系统
  2. $ yum upgrade -y
  3.  
  4. # 获取 epel-release 源
  5. $ yum -y install epel-release
  6.  
  7. # 设置防火墙, 开放 80 443 2222 端口
  8. $ firewall-cmd --zone=public --add-port=80/tcp --permanent
  9. $ firewall-cmd --zone=public --add-port=443/tcp --permanent
  10. $ firewall-cmd --zone=public --add-port=2222/tcp --permanent
  11. $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="3306" accept"
  12. # 192.168.100.0/24 为整个 Jumpserver 网络网段, 这里就偷懒了, 自己根据实际情况修改即可
  13.  
  14. $ firewall-cmd --reload
  15.  
  16. # 设置 selinux
  17. $ setenforce 0
  18. $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
  1. # 安装 nginx
  2. $ vi /etc/yum.repos.d/nginx.repo
  3.  
  4. [nginx]
  5. name=nginx repo
  6. baseurl=http://nginx.org/packages/centos/7/$basearch/
  7. gpgcheck=0
  8. enabled=1
  9.  
  10. # 非 Centos7 请参考 http://nginx.org/en/linux_packages.html#stable
  1. $ yum -y install nginx
  2. $ systemctl enable nginx
  3.  
  4. # 下载 luna
  5. $ cd /opt
  6. $ wget https://github.com/jumpserver/luna/releases/download/1.4.8/luna.tar.gz
  7.  
  8. # 如果网络有问题导致下载无法完成可以使用下面地址
  9. $ wget https://demo.jumpserver.org/download/luna/1.4.8/luna.tar.gz
  10.  
  11. $ tar xf luna.tar.gz
  12. $ chown -R root:root luna
  1. # 配置 Nginx
  2. $ vi /etc/nginx/nginx.conf
  3.  
  4. user  nginx;
  5. worker_processes  auto;
  6.  
  7. error_log  /var/log/nginx/error.log warn;
  8. pid        /var/run/nginx.pid;
  9.  
  10.  
  11. events {
  12.     worker_connections  1024;
  13. }
  14.  
  15. stream {
  16.     log_format  proxy  '$remote_addr [$time_local] '
  17.                        '$protocol $status $bytes_sent $bytes_received '
  18.                        '$session_time "$upstream_addr" '
  19.                        '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
  20.  
  21.     access_log /var/log/nginx/tcp-access.log  proxy;
  22.     open_log_file_cache off;
  23.  
  24.     upstream MariaDB {
  25.         server 192.168.100.10:3306;
  26.         server 192.168.100.11:3306 backup;  # 多节点
  27.         server 192.168.100.12:3306 down;  # 多节点
  28.         # 这里是 Mariadb 的后端ip
  29.     }
  30.  
  31.     upstream cocossh {
  32.         server 192.168.100.40:2222;
  33.         server 192.168.100.40:2223;  # 多节点
  34.         # 这里是 coco ssh 的后端ip
  35.         least_conn;
  36.     }
  37.  
  38.     server {
  39.         listen 3306;
  40.         proxy_pass MariaDB;
  41.         proxy_connect_timeout 1s;  # detect failure quickly
  42.     }
  43.  
  44.     server {
  45.         listen 2222;
  46.         proxy_pass cocossh;
  47.         proxy_connect_timeout 1s;  # detect failure quickly
  48.     }
  49. }
  50.  
  51. http {
  52.     include       /etc/nginx/mime.types;
  53.     default_type  application/octet-stream;
  54.  
  55.     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  56.                       '$status $body_bytes_sent "$http_referer" '
  57.                       '"$http_user_agent" "$http_x_forwarded_for"';
  58.  
  59.     access_log  /var/log/nginx/access.log  main;
  60.  
  61.     sendfile        on;
  62.     # tcp_nopush     on;
  63.  
  64.     keepalive_timeout  65;
  65.  
  66.     # 关闭版本显示
  67.     server_tokens off;
  68.  
  69.     include /etc/nginx/conf.d/*.conf;
  70. }
  1. # 备份默认的配置文件
  2. $ mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.bak
  3.  
  4. $ vi /etc/nginx/conf.d/jumpserver.conf
  5.  
  6. upstream jumpserver {
  7.     server 192.168.100.30:80;
  8.     # 这里是 jumpserver 的后端ip
  9. }
  10.  
  11. upstream cocows {
  12.     server 192.168.100.40:5000 weight=1;
  13.     server 192.168.100.40:5001 weight=1;  # 多节点
  14.     # 这里是 coco ws 的后端ip
  15.     ip_hash;
  16. }
  17.  
  18. upstream guacamole {
  19.     server 192.168.100.50:8081 weight=1;
  20.     server 192.168.100.50:8082 weight=1;  # 多节点
  21.     # 这里是 guacamole 的后端ip
  22.     ip_hash;
  23. }
  24.  
  25. server {
  26.     listen 80;
  27.     server_name www.jumpserver.org;  # 自行修改成你的域名
  28.     return 301 https://$server_name$request_uri;
  29. }
  30.  
  31. server {
  32.     # 推荐使用 https 访问, 如果不使用 https 请自行注释下面的选项
  33.     listen 443;
  34.     server_name www.jumpserver.org;  # 自行修改成你的域名
  35.     ssl on;
  36.     ssl_certificate   /etc/nginx/sslkey/1_jumpserver.org_bundle.crt;  # 自行设置证书
  37.     ssl_certificate_key  /etc/nginx/sslkey/2_jumpserver.org.key;  # 自行设置证书
  38.     ssl_session_timeout 5m;
  39.     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  40.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  41.     ssl_prefer_server_ciphers on;
  42.  
  43.     client_max_body_size 100m;  # 录像上传大小限制
  44.  
  45.     location / {
  46.         proxy_pass http://jumpserver;  # jumpserver
  47.         proxy_set_header X-Real-IP $remote_addr;
  48.         proxy_set_header Host $host;
  49.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  50.         access_log off;
  51.     }
  52.  
  53.     location /luna/ {
  54.         try_files $uri / /index.html;
  55.         alias /opt/luna/;  # luna 路径, 如果修改安装目录, 此处需要修改
  56.     }
  57.  
  58.     location /socket.io/ {
  59.         proxy_pass       http://cocows/socket.io/;  # coco
  60.         proxy_buffering off;
  61.         proxy_http_version 1.1;
  62.         proxy_set_header Upgrade $http_upgrade;
  63.         proxy_set_header Connection "upgrade";
  64.         proxy_set_header X-Real-IP $remote_addr;
  65.         proxy_set_header Host $host;
  66.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  67.         access_log off;
  68.     }
  69.  
  70.     location /coco/ {
  71.         proxy_pass       http://cocows/coco/;
  72.         proxy_set_header X-Real-IP $remote_addr;
  73.         proxy_set_header Host $host;
  74.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  75.         access_log off;
  76.     }
  77.  
  78.     location /guacamole/ {
  79.         proxy_pass       http://guacamole/;  #  guacamole
  80.         proxy_buffering off;
  81.         proxy_http_version 1.1;
  82.         proxy_set_header Upgrade $http_upgrade;
  83.         proxy_set_header Connection $http_connection;
  84.         proxy_set_header X-Real-IP $remote_addr;
  85.         proxy_set_header Host $host;
  86.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  87.         access_log off;
  88.     }
  89. }
  1. # nginx 测试并启动, 如果报错请按报错提示自行解决
  2. $ nginx -t
  3. $ systemctl start nginx
  4.  
  5. # 访问 http://192.168.100.100
  6. # 默认账号: admin 密码: admin  到会话管理-终端管理 接受 Coco Guacamole 等应用的注册
  7. # 测试连接
  8. $ ssh -p2222 admin@192.168.100.100
  9. $ sftp -P2222 admin@192.168.100.100
  10. 密码: admin
  11.  
  12. # 如果是用在 Windows 下, Xshell Terminal 登录语法如下
  13. $ ssh admin@192.168.100.100 2222
  14. $ sftp admin@192.168.100.100 2222
  15. 密码: admin
  16. 如果能登陆代表部署成功
  17.  
  18. # sftp默认上传的位置在资产的 /tmp 目录下
  19. # windows拖拽上传的位置在资产的 Guacamole RDP上的 G 目录下

后续的使用请参考 快速入门如遇到问题可参考 FAQ