Sign in Subscribe
Tech

JumpServer - A Bastion Host in Multi-Cloud Environment

A professional operation and maintenance security audit system that complies with 4A specifications

Henry

3 min read
JumpServer - A Bastion Host in Multi-Cloud Environment

1. Background

JumpServer is a system on a network used to access and manage devices in a separate security zone. It’s a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them.
Official Repo: JumpServer

2. JumpServer Setup

  • Prerequisites
apt -y update
apt -y install curl nginx python3-certbot-nginx
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
  • Clone the repo
cd /your/path
git clone --depth=1 https://github.com/jumpserver/Dockerfile.git
  • Edit .env file
mv Dockerfile jumpserver
cd jumpserver
cp config_example.conf .env
nano .env

In this case, since I’d like to use Nginx reverse proxy, I will not expose localhost port 80 directly. Instead, I will have it mapped to another port.

HTTP_PORT=33333

Note: Make sure to allow firewall on ports 80, 443, 2222

  • Initial DB
docker compose -f docker-compose-network.yml -f docker-compose-redis.yml -f docker-compose-mariadb.yml -f docker-compose-init-db.yml up -d
  • Upgrade DB
docker exec -i jms_core bash -c './jms upgrade_db'
  • Bring up the container
docker compose -f docker-compose-network.yml -f docker-compose-redis.yml -f docker-compose-mariadb.yml -f docker-compose.yml up -d

Now you have finished setting up JumpServer. The service is now running on localhost:33333 and the persistent volume is on /opt/jumpserver.

3. Nginx Setup

  • Create Nginx conf file for JumpServer
nano /etc/nginx/conf.d/jumpserver.conf

server {
    listen 80;
    server_name jumpserver.example.com;
    client_max_body_size 0;

    location / {
        proxy_pass http://127.0.0.1:33333;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
  • Issue SSL cert
certbot --nginx

Restart Nginx

nginx -t
systemctl restart nginx

4. Post Setups

  • The default admin credential is admin/admin. Change it immediately once you login.
  • Create System Users - Admin User. Username and credential (keyfile) matches the credential of the remote server you want to login.
JumpServer screenshot 1
  • Add Assets. Choose the Admin User you just created last step as the Admin User under Auth.
JumpServer screenshot 2
JumpServer screenshot 3
  • After that, you can have a brief review of the remote server.
JumpServer screenshot 4
  • Add Permissions (You may want to create some non-admin user under Users - Users, for regular login). You can add permission either by user or by group
JumpServer screenshot 5
JumpServer screenshot 6
  • Now you can login as a common user and check the assets. Then login to your remote server.

Copyright statement: Unless otherwise stated, all articles on this blog adopt the CC BY-NC-SA 4.0 license agreement. For non-commercial reprints and citations, please indicate the author: Henry, and original article URL. For commercial reprints, please contact the author for authorization.