基于2022年的整体规划为节约成本,Interl服务器成本比amd成本贵,同时jumpserver服务器使用人数减少,因此对其进行缩容迁移。
观察看的服务器,发现服务器上对jumpserver的jms_koko和jms_guacamole两个内容作为镜像启动,其余jms、luna、lina三个项目为源码启动(PS:具体不清楚源码中修改了什么,为了保证统一,原封不动迁移),同时存在tengine进程作为总入口。
3.1、购买一台4C8G的服务器(新服务器IP:192.168.147.184)
3.2、由于原生为docker,但是docker存在一定的缺陷,因此改为podman
secretKey=***
bootstrapToken=***
hostip=`/sbin/ifconfig eth0 | grep -w inet | grep netmask | awk '{print $2}'`
podman run --name jms_koko -d -p 2222:2222 -p 5000:5000 -e CORE_HOST=http://$hostip:8080 -e BOOTSTRAP_TOKEN=$bootstrapToken --restart=always quay.010sec.cn/jumpserver/jms_koko:v2.3.0
podman run --name jms_guacamole -d -p 8081:8080 -e JUMPSERVER_SERVER=http://$hostip:8080 -e BOOTSTRAP_TOKEN=$bootstrapToken --restart=always quay.010sec.cn/jumpserver/jms_guacamole:v2.3.0
3.3 、启动jms
# 在老服务器上将数据迁移到新服务器
scp -r /opt/xd/jumpserver-v2.3.0/ 192.168.147.184:/opt/
# 在新服务器上执行
cd /opt/
dnf install python -y
dnf install mysql-devel python-devel gcc openldap-devel -y
python -m venv py3
source py3/bin/activate
pip install -r /opt/jumpserver-v2.3.0/requirements/requirements.txt
cd /opt/jumpserver-v2.3.0/
python ./jms start -w 8 -d
3.4 、启动nginx
# 在老服务器上将数据迁移到新服务器
scp -r /opt/xd/luna-v2.3.0/ 192.168.147.184:/opt/
scp -r /opt/xd/lina-v2.3.0/ 192.168.147.184:/opt/
# 在新服务器上执行
wget 'https://openresty.org/package/centos/openresty.repo' -P /etc/yum.repos.d/
dnf check-update
dnf -y install openresty
mkdir -p /usr/local/openresty/nginx/conf/{ssl,vhosts}
3.5、添加ssl,设置为ssl/tls.crt与ssl/tls.key
3.6 修改默认的nginx.conf文件 cat /usr/local/openresty/nginx/conf/nginx.conf
#user nobody;
worker_processes auto;
error_log logs/error.log;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
log_format main '$remote_addr||$time_iso8601||$http_host||$server_port||$request_method||$scheme||$request_uri||$server_protocol||$status||$body_bytes_sent||$http_referer||$http_user_agent||$http_x_real_ip||$http_x_forwarded_for||$request_time||$upstream_addr||$upstream_response_time||$upstream_status||';
#access_log "pipe:/usr/bin/cronolog /usr/local/openresty/nginx/logs/%Y%m%d-access_log-default" main;
access_log logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
autoindex off;
keepalive_timeout 65;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
include mime.types;
default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 100m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
include vhosts/*.conf;
}
3.7、添加nginx中jumpserver配置文件cat /usr/local/openresty/nginx/conf/vhosts/jumpserver.conf
server {
listen 80;
listen 443 ssl;
server_name jumpserver.010sec.cn;
ssl on;
ssl_certificate ssl/tls.crt;
ssl_certificate_key ssl/tls.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
ssl_prefer_server_ciphers on;
client_max_body_size 100m; # 录像及文件上传大小限制
# v1.5.x
location = /users/password/forgot/ {
#return 301 https://keycloak.apps.xiaodiankeji.net/auth/realms/sso/account;
return 302 http://oauth.010sec.cn/oauthcore/changePassword.html; # 统一登录修改密码页面
}
# v2.x
location = /core/auth/password/forgot/ {
return 302 http://oauth.010sec.cn/oauthcore/changePassword.html; # 统一登录修改密码页面
}
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina-v2.3.0/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna-v2.3.0/;
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver-v2.3.0/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver-v2.3.0/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
#include allow_origin_dian.so.conf;
rewrite ^/(.*)$ /ui/$1 last;
}
}
3.8、启动日志按天分割 cat /usr/local/openresty/nginx/logs/openresty
/usr/local/openresty/nginx/logs/*.log {
daily
rotate 5
compress
copytruncate
dateext
sharedscripts
postrotate
/bin/kill -HUP `cat /usr/local/openresty/nginx/logs/nginx.pid 2> /dev/null` 2> /dev/null || true
endscript
}
3.9、配置定时任务
cat /var/spool/cron/root
59 23 * * * /usr/sbin/logrotate -f /usr/local/openresty/nginx/logs/openresty >/dev/null 2>&1
3.10、绑定hostname,登录查看。若没问题,则进行DNS切换域名
https://blog.51cto.com/u_14529928/4056117
https://docs.jumpserver.org/zh/master/install/setup_by_fast/