修改安全性

docs/distributed_02.rst

@@ -145,8 +145,21 @@
     server {
         listen 80;
         server_name www.jumpserver.org;  # 自行修改成你的域名
+        return https://www.jumpserver.org$request_uri;  # 自行修改成你的域名
     }
 
+    server {
+        # 推荐使用 https 访问，如果不使用 https 请自行注释下面的选项
+        listen 443;
+        server_name www.jumpserver.org;  # 自行修改成你的域名
+        ssl on;
+        ssl_certificate   /etc/nginx/sslkey/1_jumpserver.org_bundle.crt;  # 自行设置证书
+        ssl_certificate_key  /etc/nginx/sslkey/2_jumpserver.org.key;  # 自行设置证书
+        ssl_session_timeout 5m;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_prefer_server_ciphers on;
+
         client_max_body_size 100m;  # 录像上传大小限制
 
         location / {

docs/distributed_03.rst

@@ -24,8 +24,8 @@
     # 安装 mariadb 服务
     $ yum install -y install mariadb mariadb-devel mariadb-server
 
-    # 设置防火墙，开放 3306 端口
-    $ firewall-cmd --zone=public --add-port=3306/tcp --permanent
+    # 设置防火墙，开放 3306 端口 给 jumpserver 访问
+    $ $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="3306" accept"
     $ firewall-cmd --reload
 
     # 设置 mariadb 服务

docs/distributed_04.rst

@@ -23,8 +23,10 @@
     # 安装依赖包
     $ yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
 
-    # 设置防火墙，开放 80 端口
-    $ firewall-cmd --zone=public --add-port=80/tcp --permanent
+    # 设置防火墙，开放 80 端口给 nginx 访问，开放 8080 端口给 coco 和 guacamole 访问
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="80" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.12" port protocol="tcp" port="8080" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.13" port protocol="tcp" port="8080" accept"
     $ firewall-cmd --reload
 
     # 安装 redis
@@ -119,9 +121,9 @@
         DB_PASSWORD = os.environ.get("DB_PASSWORD") or 'weakPassword'
         DB_NAME = os.environ.get("DB_NAME") or 'jumpserver'
 
-        # Django 监听的ip和端口，生产环境推荐把0.0.0.0修改成127.0.0.1，这里的意思是允许x.x.x.x访问，127.0.0.1表示仅允许自身访问
+        # Django 监听的ip和端口
         # ./manage.py runserver 127.0.0.1:8080
-        HTTP_BIND_HOST = '127.0.0.1'
+        HTTP_BIND_HOST = '0.0.0.0'
         HTTP_LISTEN_PORT = 8080
 
         # Redis 相关设置

docs/distributed_05.rst

@@ -23,9 +23,11 @@
     # 安装依赖包
     $ yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git
 
-    # 设置防火墙，开放 2222 5000 端口
-    $ firewall-cmd --zone=public --add-port=2222/tcp --permanent
-    $ firewall-cmd --zone=public --add-port=5000/tcp --permanent
+    # 设置防火墙，开放 2222 5000 端口 给 nginx 和 jumpserver 访问
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="2222" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="2222" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="5000" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="5000" accept"
     $ firewall-cmd --reload
 
     # 安装 docker
@@ -40,7 +42,7 @@
     $ docker run --name jms_coco -d \
         -p 2222:2222 \
         -p 5000:5000 \
-        -e CORE_HOST=http://192.168.100.11 \
+        -e CORE_HOST=http://192.168.100.11:8080 \
         wojiushixiaobai/coco:1.4.3
 
     # 访问 http://192.168.100.100/terminal/terminal/ 接受 coco 注册
@@ -51,14 +53,16 @@
 
 ::
 
-    $ firewall-cmd --zone=public --add-port=2223/tcp --permanent
-    $ firewall-cmd --zone=public --add-port=5001/tcp --permanent
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="2223" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="2223" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="5001" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="5001" accept"
     $ firewall-cmd --reload
 
     $ docker run --name jms_coco1 -d \
         -p 2223:2222 \
         -p 5001:5000 \
-        -e CORE_HOST=http://192.168.100.11 \
+        -e CORE_HOST=http://192.168.100.11:8080 \
         wojiushixiaobai/coco:1.4.3
 
     # 访问 http://192.168.100.100/terminal/terminal/ 接受 coco 注册

docs/distributed_06.rst

@@ -23,10 +23,9 @@
     # 安装依赖包
     $ yum install -y yum-utils device-mapper-persistent-data lvm2
 
-    # 设置 selinux 与 防火墙
-    $ setenforce 0
-    $ sed -i "s/enforcing/disabled/g" `grep enforcing -rl /etc/selinux/config`
-    $ firewall-cmd --zone=public --add-port=8081/tcp --permanent
+    # 设置防火墙，开放 8081 端口 给 nginx 和 jumpserver 访问
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="8081" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="8081" accept"
     $ firewall-cmd --reload
 
     # 安装 docker
@@ -39,9 +38,9 @@
 
     # 通过 docker 部署
     $ docker run --name jms_guacamole -d \
-        -p 8081:8080 \
+        -p 8081:8081 \
         -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-        -e JUMPSERVER_SERVER=http://192.168.100.11 \
+        -e JUMPSERVER_SERVER=http://192.168.100.11:8080 \
         wojiushixiaobai/guacamole:1.4.3
 
     # 访问 http://192.168.100.100/terminal/terminal/ 接受 guacamole 注册
@@ -52,12 +51,13 @@
 
 ::
 
-    $ firewall-cmd --zone=public --add-port=8082/tcp --permanent
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.11" port protocol="tcp" port="8082" accept"
+    $ firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.100" port protocol="tcp" port="8082" accept"
     $ firewall-cmd --reload
     $ docker run --name jms_guacamole1 -d \
-        -p 8082:8080 \
+        -p 8082:8081 \
         -e JUMPSERVER_KEY_DIR=/config/guacamole/key \
-        -e JUMPSERVER_SERVER=http://192.168.100.11 \
+        -e JUMPSERVER_SERVER=http://192.168.100.11:8080 \
         wojiushixiaobai/guacamole:1.4.3
 
     # 访问 http://192.168.100.100/terminal/terminal/ 接受 guacamole 注册