簡介

項目中需要用到堡壘機功能，調研了一大圈，發(fā)現(xiàn)了Apache Guacamole這個開源項目。

Apache Guacamole 是一個無客戶端的遠程桌面網(wǎng)關，它支持眾多標準管理協(xié)議，例如 VNC(RFB)，RDP，SSH 等等。該項目是Apache基金會旗下的一個開源項目，也是一個較高標準，并具有廣泛應用前景的項目。

當Guacamole被部署在服務器上后，用戶通過瀏覽器即可訪問已經(jīng)開啟 VNC(RFB)，RDP，SSH 等遠程管理服務的主機，屏蔽用戶使用環(huán)境差異，跨平臺，另外由于Guacamole本身被設計為一種代理工作模型，方便對用戶集中授權監(jiān)控等管理，，也被眾多堡壘機項目所集成，例如‘jumpserver’，‘next-terminal’。

Guacamole項目的主頁如下：

Apache Guacamole?

Guacamole項目的架構如下圖：

包括了guacd、guacamole、前端頁面等幾個模塊。

其中，guacd是由C語言編寫，接受并處理guacamole發(fā)送來的請求，然后翻譯并轉換這個請求，動態(tài)的調用遵循那些標準管理協(xié)議開發(fā)的開源客戶端，例如FreeRDP，libssh2，LibVNC，代為連接Remote Desktops，最后回傳數(shù)據(jù)給guacamole，guacamole回傳數(shù)據(jù)給web browser。

guacamole是web工程，包含了java后端服務和angular前端頁面， 通過servlet或websocket與前端界面交互，通過tcp與guacd交互。同時集成了用戶管理、權限驗證、數(shù)據(jù)管理等各種功能。這塊的模塊組成如下：

?我們項目中有很多自己的業(yè)務需求和界面需求，所以，Web這塊決定不用開源自帶的后端和界面，自己開發(fā)。基于guacamole-common和js庫進行二次開發(fā)。

SpringBoot集成

POM：包含了guacamole-common、guacamole-common-js，以及servlet、websocket等。

<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-websocket</artifactId> </dependency><dependency><groupId>javax.servlet</groupId><artifactId>servlet-api</artifactId><version>2.5</version><scope>provided</scope> </dependency> <dependency><groupId>javax.websocket</groupId><artifactId>javax.websocket-api</artifactId><version>1.0</version><scope>provided</scope> </dependency><dependency><groupId>org.apache.guacamole</groupId><artifactId>guacamole-common</artifactId><version>1.5.1</version> </dependency> <dependency><groupId>org.apache.guacamole</groupId><artifactId>guacamole-ext</artifactId><version>1.5.1</version> </dependency><dependency><groupId>org.apache.guacamole</groupId><artifactId>guacamole-common-js</artifactId><version>1.5.1</version><type>zip</type><scope>runtime</scope> </dependency>

可以通過servlet或websocket兩種方式進行集成，推薦采用websocket方式，性能更好。

配置文件application.yml

server:port: 8080servlet:context-path: /spring:servlet:multipart:enabled: falsemax-file-size: 1024MBdatasource:url: jdbc:mysql://127.0.0.1:3306/guac?useSSL=false&useUnicode=true&characterEncoding=UTF-8&serverTimezone=GMT%2b8username: rootpassword: 123456driver-class-name: com.mysql.cj.jdbc.Drivermybatis-plus:mapper-locations: classpath:mapper/*.xmlguacamole:ip: 192.168.110.2port: 4822

WebSocket方式

從GuacamoleWebSocketTunnelEndpoint中繼承類，重載createTunnel方法。

@ServerEndpoint(value = "/webSocket", subprotocols = "guacamole") @Component public class WebSocketTunnel extends GuacamoleWebSocketTunnelEndpoint {private String uuid;private static IDeviceLoginInfoService deviceLoginInfoService;private static String guacIp;private static Integer guacPort;private GuacamoleTunnel guacamoleTunnel;// websocket中，自動注入及綁定配置項必須用這種方式@Autowiredpublic void setDeviceListenerService(IDeviceLoginInfoService deviceListenerService) {WebSocketTunnel.deviceLoginInfoService = deviceListenerService;}@Value("${guacamole.ip}")public void setGuacIp(String guacIp) {WebSocketTunnel.guacIp = guacIp;}@Value("${guacamole.port}")public void setGuacPort(Integer guacPort) {WebSocketTunnel.guacPort = guacPort;}@Overrideprotected GuacamoleTunnel createTunnel(Session session, EndpointConfig endpointConfig) throws GuacamoleException {//從session中獲取傳入?yún)?shù)Map<String, List<String>> map = session.getRequestParameterMap();DeviceLoginInfoVo loginInfo = null;String did = map.get("did").get(0);tid = map.get("tid").get(0);tid = tid.toLowerCase();// 根據(jù)傳入?yún)?shù)從數(shù)據(jù)庫中查找連接信息loginInfo = deviceLoginInfoService.getDeviceLoginInfo(did, tid);if(loginInfo != null) {loginInfo.setPort(opsPort);}if(loginInfo != null) {//String wid = (map.get("width")==null) ? "1413" : map.get("width").get(0);//String hei = (map.get("height")==null) ? "925" : map.get("height").get(0);String wid = "1412";String hei = "924";GuacamoleConfiguration configuration = new GuacamoleConfiguration();configuration.setParameter("hostname", loginInfo.getIp());configuration.setParameter("port", loginInfo.getPort().toString());configuration.setParameter("username", loginInfo.getUser());configuration.setParameter("password", loginInfo.getPassword());if(tid.equals("ssh")) {configuration.setProtocol("ssh"); // 遠程連接協(xié)議configuration.setParameter("width", wid);configuration.setParameter("height", hei);configuration.setParameter("color-scheme", "white-black");//configuration.setParameter("terminal-type", "xterm-256color");//configuration.setParameter("locale", "zh_CN.UTF-8");configuration.setParameter("font-name", "Courier New");configuration.setParameter("enable-sftp", "true");}else if(tid.equals("vnc")){configuration.setProtocol("vnc"); // 遠程連接協(xié)議configuration.setParameter("width", wid);configuration.setParameter("height", hei);}else if(tid.equals("rdp")) {configuration.setProtocol("rdp"); // 遠程連接協(xié)議configuration.setParameter("ignore-cert", "true");if(loginInfo.getDomain() !=null) {configuration.setParameter("domain", loginInfo.getDomain());}configuration.setParameter("width", wid);configuration.setParameter("height", hei);}GuacamoleClientInformation information = new GuacamoleClientInformation();information.setOptimalScreenHeight(Integer.parseInt(hei));information.setOptimalScreenWidth(Integer.parseInt(wid));GuacamoleSocket socket = new ConfiguredGuacamoleSocket(new InetGuacamoleSocket(guacIp, guacPort),configuration, information);GuacamoleTunnel tunnel = new SimpleGuacamoleTunnel(socket);guacamoleTunnel = tunnel;return tunnel;}return null;} }

Servlet方式

從GuacamoleHTTPTunnelServlet類繼承，重載doConnect方法

@WebServlet(urlPatterns = "/tunnel") public class HttpTunnelServlet extends GuacamoleHTTPTunnelServlet {@ResourceIDeviceLoginInfoService deviceLoginInfoService;@Value("${guacamole.ip}")private String guacIp;@Value("${guacamole.port}")private Integer guacPort;@Overrideprotected GuacamoleTunnel doConnect(HttpServletRequest request) throws GuacamoleException {//從HttpServletRequest獲取請求參數(shù)String did = request.getParameter("did");String tid = request.getParameter("tid");tid = tid.toLowerCase();//根據(jù)參數(shù)從數(shù)據(jù)庫中查找連接信息，主機ip、端口、用戶名、密碼等DeviceLoginInfoVo loginInfo = deviceLoginInfoService.getDeviceLoginInfo(did, tid);if(loginInfo != null) {GuacamoleConfiguration configuration = new GuacamoleConfiguration();configuration.setParameter("hostname", loginInfo.getIp());configuration.setParameter("port", loginInfo.getPort().toString());configuration.setParameter("username", loginInfo.getUser());configuration.setParameter("password", loginInfo.getPassword());if(tid.equals("ssh")) {configuration.setProtocol("ssh"); // 遠程連接協(xié)議}else if(tid.equals("vnc")){configuration.setProtocol("vnc"); // 遠程連接協(xié)議}else if(tid.equals("rdp")) {configuration.setProtocol("rdp"); // 遠程連接協(xié)議configuration.setParameter("ignore-cert", "true");if(loginInfo.getDomain() != null) {configuration.setParameter("domain", loginInfo.getDomain());}configuration.setParameter("width", "1024");configuration.setParameter("height", "768");}GuacamoleSocket socket = new ConfiguredGuacamoleSocket(new InetGuacamoleSocket(guacIp, guacPort),configuration);GuacamoleTunnel tunnel = new SimpleGuacamoleTunnel(socket);return tunnel;}return null;} }

前端頁面

我用的是最基本的html+js

<!DOCTYPE HTML> <html> <head><meta charset="UTF-8"><link rel="stylesheet" type="text/css" href="guacamole.css"/><title>guac</title><style></style> </head> <body> <div id="mainapp"><!-- Display --><div id="display"></div> </div><!-- Guacamole JavaScript API --> <script type="text/javascript" src="guacamole-common-js/all.js"></script> <script type="text/javascript">function getUrlParam(name) {var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");var r = window.location.search.substr(1).match(reg);if(r != null) {return decodeURI(r[2]);}return null;}var user = getUrlParam('user');var devid = getUrlParam('did');var typeid= getUrlParam('tid');// var width = getUrlParam('width');// var height = getUrlParam('height');// Get display div from documentvar display = document.getElementById("display");var uuid;var tunnel = new Guacamole.ChainedTunnel(new Guacamole.WebSocketTunnel("webSocket"));var guac = new Guacamole.Client(tunnel);// Add client to display divdisplay.appendChild(guac.getDisplay().getElement());tunnel.onuuid = function(id) {uuid = id;}// Connectguac.connect('did='+devid+'&tid='+typeid+'&user='+user);// Disconnect on closewindow.onunload = function() {guac.disconnect();}// Mousevar mouse = new Guacamole.Mouse(guac.getDisplay().getElement());mouse.onmousedown =mouse.onmousemove = function(mouseState) {guac.sendMouseState(mouseState);};mouse.onmouseup = function(mouseState) {vueapp.showfile = false;guac.sendMouseState(mouseState);};// Keyboardvar keyboard = new Guacamole.Keyboard(document);keyboard.onkeydown = function (keysym) {guac.sendKeyEvent(1, keysym);};keyboard.onkeyup = function (keysym) {guac.sendKeyEvent(0, keysym);};function setWin() {let width = window.document.body.clientWidth;let height = window.document.body.clientHeight;guac.sendSize(1412, 924);scaleWin();}function handleMouseEvent(event) {// Do not attempt to handle mouse state changes if the client// or display are not yet availableif(!guac || !guac.getDisplay())return;event.stopPropagation();event.preventDefault();// Send mouse state, show cursor if necessaryguac.getDisplay().showCursor(true);};// Forward all mouse interaction over Guacamole connectionmouse.onEach(['mousemove'], handleMouseEvent);// Hide software cursor when mouse leaves displaymouse.on('mouseout', function hideCursor() {guac.getDisplay().showCursor(false);display.style.cursor = 'initial';});guac.getDisplay().getElement().addEventListener('mouseenter', function (e) {display.style.cursor = 'none';}); </script> </body> </html>

將頁面放在Springboot項目的resource下的static下，啟動程序，通過地址

http://ip:8080?did=1&tid=ssh訪問，可以打開遠程桌面。

可以看出guacamole-common和guacamole-common-js已經(jīng)做了很好的封裝，對于SSH、VNC、RDP這幾種遠程方式，可以很簡單的實現(xiàn)。

接下來，SFTP的實現(xiàn)較為復雜，需要對SFTP上傳下載的流程及guacamole封裝的協(xié)議有較好的了解，才能實現(xiàn)。另外對于錄屏及錄屏的播放，因為我們的項目中需要把guac和java后端分開兩臺服務器部署，所以也要有點工作要做。這兩部分內容見下一篇博文。

總結

以上是生活随笔為你收集整理的开源堡垒机Guacamole二次开发记录之一的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內容還不錯，歡迎將生活随笔推薦給好友。