安全 on Kang's Blog

屏蔽国外IP访问服务器完整指南

Wed, 01 Jan 2025 00:00:00 +0000

为什么需要屏蔽国外IP

公网服务器面临的安全威胁日益严峻：

互联网上有大量扫描器24小时不间断扫描服务器，试图获取权限控制您的系统
服务器日志分析表明大多数攻击来源于国外服务器，如荷兰、美国、新加坡、日本等国家
不论是云服务器还是IDC机房托管的服务器，只要对外提供服务就会暴露端口，增加安全风险

解决方案概述

对于主要面向国内用户的服务，我们可以通过屏蔽国外IP访问来显著提升安全性。

技术原理

Iptables：Linux系统防火墙工具，用于过滤和拦截请求
Ipset模块：Iptables的扩展，支持高效匹配大批量IP地址段
IPdeny：提供定期更新的全球IP地址分配数据

实现思路

收集并整理国内IP地址段到Ipset中
配置Iptables调用Ipset模块检查来源IP
允许国内IP访问，拒绝国外IP连接

完整实施步骤

本指南基于CentOS 7.6环境，不同Linux版本的命令可能有所差异

安装必要工具

1
2

# 如果尚未安装ipset
yum install -y ipset

创建IP地址集合

下载中国IP地址段

`1`	`wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone`

转换为Ipset指令

1
2

for i in `cat cn.zone`; do echo "ipset add china $i" >>ipset_result.sh; done
chmod +x ipset_result.sh

创建并填充Ipset集合

# 创建china集合
ipset create china hash:net hashsize 10000 maxelem 1000000

# 添加局域网IP地址段
echo "ipset add china 10.0.0.0/8" >> ipset_result.sh
echo "ipset add china 172.0.0.0/8" >> ipset_result.sh
echo "ipset add china 192.0.0.0/8" >> ipset_result.sh

# 执行脚本添加IP段
bash ipset_result.sh

验证IP集合

1
2

ipset list china
ipset list china | wc -l  # 应有约8000多条数据

配置Iptables规则

# 清除现有规则（如果需要）
iptables -F
iptables -X

# 创建基本规则
cat > /etc/sysconfig/iptables << EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# 如需开放其他端口，请在此添加规则
# 例如: -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -m set ! --match-set china src -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF

# 应用规则
iptables-restore < /etc/sysconfig/iptables

确保配置持久化

为防止服务器重启后配置丢失，需要进行持久化设置：

持久化Ipset数据

# 保存Ipset数据
ipset save china > /etc/ipset.conf

# 配置启动时加载
chmod +x /etc/rc.d/rc.local
echo "ipset restore < /etc/ipset.conf" >> /etc/rc.d/rc.local

持久化Iptables规则

1
2

# 配置启动时加载
echo "/usr/sbin/iptables-restore < /etc/sysconfig/iptables" >> /etc/rc.d/rc.local

自动更新IP地址段

为确保IP地址段保持最新，可以设置定期更新：

# 创建每周自动更新脚本
cat > /usr/local/bin/update_cn_ip.sh << EOF
#!/bin/bash
wget -O /tmp/cn.zone http://www.ipdeny.com/ipblocks/data/countries/cn.zone
ipset flush china
for ip in \$(cat /tmp/cn.zone); do ipset add china \$ip; done
# 添加局域网IP段
ipset add china 10.0.0.0/8
ipset add china 172.0.0.0/8
ipset add china 192.0.0.0/8
# 更新持久化文件
ipset save china > /etc/ipset.conf
EOF

chmod +x /usr/local/bin/update_cn_ip.sh

# 添加每周执行的定时任务
echo "0 0 * * 1 /usr/local/bin/update_cn_ip.sh" > /etc/cron.d/update_cn_ip

验证与故障排除

测试配置

# 检查Ipset集合
ipset list china

# 检查Iptables规则
iptables -L -n

# 测试国内IP访问（应该可以访问）
# 测试国外IP访问（应该被阻止）

常见问题解决

无法SSH连接：确保在添加拦截规则前先添加了SSH端口规则
局域网访问受限：检查是否添加了私有IP段到china集合
配置未持久化：检查rc.local文件权限和脚本内容

结论

通过屏蔽国外IP访问，我们可以大幅降低服务器被攻击的风险，特别适合主要面向国内用户的服务。需要注意的是，此方法可能会影响到海外用户的合法访问，请根据实际业务需求进行调整。

Kubernetes ingress-nginx 服务证书配置指南

Mon, 16 Dec 2024 00:00:00 +0000

使用 Ingress | Kubernetes 作为 K8s 的应用流量转发代理，并配置证书

服务部署

由于使用的 K8S 集群并非云服务商提供的，需要使用 ingress-nginx 的 LoadBalancer 类型服务的话，先部署 metallb，MetalLB 是裸机 Kubernetes 集群的负载均衡器实现，使用标准路由协议。

部署 MetalLB

# see what changes would be made, returns nonzero returncode if different
kubectl get configmap kube-proxy -n kube-system -o yaml | \
sed -e "s/strictARP: false/strictARP: true/" | \
kubectl diff -f - -n kube-system

# actually apply the changes, returns nonzero returncode on errors only
kubectl get configmap kube-proxy -n kube-system -o yaml | \
sed -e "s/strictARP: false/strictARP: true/" | \
kubectl apply -f - -n kube-system

`1`	`kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.14.8/config/manifests/metallb-native.yaml`

ip-pool.yaml 创建 IP 池：

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: default
  namespace: metallb-system
spec:
  addresses:
  - 172.16.0.90/32  # 由于是裸机集群，需要手动指定 IP 地址
  autoAssign: true
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: default
  namespace: metallb-system
spec:
  ipAddressPools:
  - default

`1`	`kubectl apply -f ip-pool.yaml`

部署 ingress-nginx

`1`	`kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/cloud/deploy.yaml`

配置证书

下面介绍 3 种方式配置证书：分别是手动申请自签名证书、手动申请受信任证书、使用 cert-manager 申请证书

手动申请自签名证书

申请证书，可以使用 OpenSSL，也可以使用其他工具 tls.crt 证书文件、tls.key 私钥文件，base64 编码后的内容，可以定制证书的相关信息：国家、省、市、公司、部门、域名、有效时间等

# 生成私钥
openssl genrsa -out tls.key 2048 # 生成私钥文件 tls.key

# 生成证书请求
openssl req -new -key tls.key -out tls.csr -subj "/C=<country>/ST=<province>/L=<city>/O=<company>/OU=<department>/CN=<domain>" # 生成证书请求文件 tls.csr

# 生成证书
openssl x509 -req -in tls.csr -signkey tls.key -out tls.crt -days 3650 # 生成证书文件 tls.crt

# 查看证书信息
openssl x509 -in tls.crt -text -noout

test-ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: test-ingress


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: service1
  namespace: test-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service1
  template:
    metadata:
      labels:
        app: service1
    spec:
      containers:
      - name: service1
        image: nginx:alpine


---
apiVersion: v1
kind: Service
metadata:
  name: service1
  namespace: test-ingress
spec:
  selector:
    app: service1
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80


# letsencrypt 证书，手动创建
---
apiVersion: v1
kind: Secret
metadata:
  name: <domain>
  namespace: test-ingress
data:
  tls.crt: <base64 encoded cert>
  tls.key: <base64 encoded key>
type: kubernetes.io/tls


---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-ingress
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - <domain>
      secretName: <secret name>
  rules:
    - host: <domain>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service1
                port:
                  number: 80

`1`	`kubectl apply -f test-ingress.yaml`

手动申请受信任证书

申请证书，可以使用 Let’s Encrypt，也可以使用其他证书颁发机构 tls.crt 证书文件、tls.key 私钥文件，base64 编码后的内容，默认有效时间 90 天

test-ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: test-ingress


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: service1
  namespace: test-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service1
  template:
    metadata:
      labels:
        app: service1
    spec:
      containers:
      - name: service1
        image: nginx:alpine


---
apiVersion: v1
kind: Service
metadata:
  name: service1
  namespace: test-ingress
spec:
  selector:
    app: service1
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80


# letsencrypt 证书，手动创建
---
apiVersion: v1
kind: Secret
metadata:
  name: <domain>
  namespace: test-ingress
data:
  tls.crt: <base64 encoded cert>
  tls.key: <base64 encoded key>
type: kubernetes.io/tls


---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-ingress
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - <domain>
      secretName: <secret name>
  rules:
    - host: <domain>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service1
                port:
                  number: 80

`1`	`kubectl apply -f test-ingress.yaml`

使用 cert-manager 申请证书

cert-manager 是一个 Kubernetes 证书管理控制器，基于 Kubernetes 的 CustomResourceDefinitions 资源，提供了证书申请、颁发、更新、删除等功能下面介绍如何使用 cert-manager 申请证书，三种方式：SelfSigned Issuer 类型证书、ACME Issuer 类型证书、CA Issuer 类型证书

安装 cert-manager

`1`	`kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml`

默认情况下，cert-manager 将安装到 cert-manager 命名空间中。可以在不同的命名空间中运行证书管理器，尽管需要对部署清单进行修改。

安装证书管理器后，可以通过检查运行Pod的证书管理器命名空间来验证它是否正确部署：

$ kubectl get pods --namespace cert-manager

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-5fd6444f95-kmbmd   1/1     Running   0          60m
cert-manager-d894bbbd4-lrwp5               1/1     Running   0          60m
cert-manager-webhook-869674f96f-ljffr      1/1     Running   0          60m

配置 SelfSigned Issuer 类型证书

test-ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: test-ingress


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: service1
  namespace: test-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service1
  template:
    metadata:
      labels:
        app: service1
    spec:
      containers:
      - name: service1
        image: nginx:alpine


---
apiVersion: v1
kind: Service
metadata:
  name: service1
  namespace: test-ingress
spec:
  selector:
    app: service1
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80


# SelfSigned 证书 100 年，自动创建
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
  namespace: test-ingress
spec:
  selfSigned: {}

# SelfSigned 证书 100 年，自动创建
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: <domain>
  namespace: test-ingress
spec:
  secretName: <secret name>
  duration: 876000h  # 100 years
  renewBefore: 720h  # 在证书过期前 30 天自动续签
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
  commonName: <domain>
  subject:
    organizations:
      - <company>
    organizationalUnits:
      - <department>
  isCA: true
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048


---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-ingress
  annotations:
    cert-manager.io/cluster-issuer: selfsigned-issuer
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - <domain>
      secretName: <secret name>
  rules:
    - host: <domain>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service1
                port:
                  number: 80

`1`	`kubectl apply -f test-ingress.yaml`

ACME（Automated Certificate Management Environment）是一种协议，用于自动化证书颁发和更新。ACME协议由IETF标准化，目前最常见的实现是Let’s Encrypt。ACME协议的一个关键特性是，它允许证书颁发机构（CA）在不需要人工干预的情况下验证证书请求者的身份。ACME 协议的另一个关键特性是，它允许证书颁发机构自动更新证书，而无需人工干预。颁发者类型表示在自动证书管理环境（ACME）证书颁发机构服务器上注册的单个帐户。创建新的ACME颁发者时，证书管理器将生成一个私钥，用于在ACME服务器上识别。默认情况下，公共ACME服务器颁发的证书通常由客户端的计算机信任。这意味着，例如，访问由为该URL颁发的ACME证书支持的网站，默认情况下会被大多数客户端的web浏览器信任。ACME证书通常是免费的。

配置 ACME Issuer http01 类型证书

HTTP01 质询是通过展示一个计算出的密钥来完成的，这个密钥需要出现在一个可通过互联网访问的 HTTP URL 端点上。这个 URL 将使用申请证书的域名。一旦 ACME 服务器能够通过互联网从这个 URL 获取到这个密钥，就能验证你是该域名的拥有者。当创建 HTTP01 质询时，cert-manager 会自动配置你的集群入口（ingress），将访问这个 URL 的流量路由到一个小型的网络服务器上，由它展示该密钥。通俗的说，就是 cert-manager 会自动创建 ingress 路由到一个小型的网络服务器上，由它展示该密钥，以验证你是该域名的拥有者。

fake 证书一年，自动创建：kubernetes ingress controller fake cert

test-ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: test-ingress


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: service1
  namespace: test-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service1
  template:
    metadata:
      labels:
        app: service1
    spec:
      containers:
      - name: service1
        image: nginx:alpine


---
apiVersion: v1
kind: Service
metadata:
  name: service1
  namespace: test-ingress
spec:
  selector:
    app: service1
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80

# ACME 证书，自动创建
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sencrypt-prod
  namespace: test-ingress
spec:
  acme:
    email: CoderKang@hotmail.com
    privateKeySecretRef:
      name: sencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - http01:
          ingress:
            class: nginx


---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-ingress
  annotations:
    cert-manager.io/cluster-issuer: sencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - test.example.com
      secretName: example-com
  rules:
    - host: test.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service1
                port:
                  number: 80

`1`	`kubectl apply -f test-ingress.yaml`

配置 ACME Issuer dns01 类型证书

DNS01 质询是通过提供一个存在于 DNS TXT 记录中的计算密钥来完成的。一旦这个 TXT 记录在互联网中传播开，ACME 服务器就能通过 DNS 查询成功获取该密钥，并验证申请证书的客户端是该域名的拥有者。如果拥有正确的权限，cert-manager 会自动在你指定的 DNS 服务提供商处添加这个 TXT 记录。

但是此次使用的是腾讯云 DNS 服务商，cert-manager 默认不支持腾讯云 DNS 服务商，需要自定义解析器 cert-manager webhook

DNS01 - cert-manager Documentation

`1`	`kubectl apply -f https://raw.githubusercontent.com/imroc/cert-manager-webhook-dnspod/master/bundle.yaml`

test-ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: test-ingress


---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: service1
  namespace: test-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service1
  template:
    metadata:
      labels:
        app: service1
    spec:
      containers:
      - name: service1
        image: nginx:alpine


---
apiVersion: v1
kind: Service
metadata:
  name: service1
  namespace: test-ingress
spec:
  selector:
    app: service1
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80


# letsencrypt 自动创建，有效期 90 天
# 配置腾讯云 DNS 服务商的 SecretId 和 SecretKey
# https://console.dnspod.cn/account/token/apikey
---
apiVersion: v1
stringData:
  secret-key: <tencent cloud secret key>  # 腾讯云 SecretKey
kind: Secret
metadata:
  name: dnspod-secret
  namespace: cert-manager
type: Opaque

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sencrypt-prod
  namespace: test-ingress
spec:
  acme:
    email: CoderKang@hotmail.com
    preferredChain: ""
    privateKeySecretRef:
      name: dnspod-letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          webhook:
            config:
              secretId: <tencent cloud secret id>  # 腾讯云 SecretId
              secretKeyRef:
                key: secret-key
                name: dnspod-secret
              ttl: 600
            groupName: acme.imroc.cc
            solverName: dnspod

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: test-ingress
spec:
  dnsNames:
    - test.example.com
  issuerRef:
    kind: ClusterIssuer
    name: sencrypt-prod
  secretName: example-com

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: test-ingress
  annotations:
    cert-manager.io/cluster-issuer: sencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - test.example.com
      secretName: example-com
  rules:
    - host: test.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: service1
                port:
                  number: 80

`1`	`kubectl apply -f test-ingress.yaml`

Kubernetes 部署 JumpServer 与钉钉告警集成指南

Tue, 19 Nov 2024 00:00:00 +0000

ingress

需要搭建 ingress（详见13-K8s ingress-nginx 服务证书）并开启 TCP 转发（详见23-K8s ingress TCP 转发）。

jumpserver

“安装”

`1`	`helm install jms-k8s ./jumpserver-v4.6.0 -n jumpserver --create-namespace -f values.yaml`

“更新”

`1`	`helm upgrade jms-k8s ./jumpserver-v4.6.0 -n jumpserver --create-namespace -f values.yaml`

“卸载”
1

helm -n jumpserver delete jms-k8s

core 组件镜像

修改 core 组件，支持钉钉告警

docker pull docker.1ms.run/jumpserver/core:v4.6.0-ce

cd core
docker build -t jumpserver/core:v4.6.1-ce .

“Dockerfile”

1
2
3

FROM docker.1ms.run/jumpserver/core:v4.6.0-ce

COPY ./notifications.py /opt/jumpserver/apps/notifications/notifications.py

“notifications.py”

import textwrap
import time
import traceback
from itertools import chain

from celery import shared_task
from django.utils.translation import gettext_lazy as _
from html2text import HTML2Text

from common.utils import lazyproperty
from common.utils.timezone import local_now
from notifications.backends import BACKEND
from settings.utils import get_login_title
from terminal.const import RiskLevelChoices
from users.models import User
from .models import SystemMsgSubscription, UserMsgSubscription

__all__ = ('SystemMessage', 'UserMessage', 'system_msgs', 'Message')

system_msgs = []
user_msgs = []


class MessageType(type):
	def __new__(cls, name, bases, attrs: dict):
		clz = type.__new__(cls, name, bases, attrs)

		if 'message_type_label' in attrs \
				and 'category' in attrs \
				and 'category_label' in attrs:
			message_type = clz.get_message_type()

			msg = {
				'message_type': message_type,
				'message_type_label': attrs['message_type_label'],
				'category': attrs['category'],
				'category_label': attrs['category_label'],
			}
			if issubclass(clz, SystemMessage):
				system_msgs.append(msg)
			elif issubclass(clz, UserMessage):
				user_msgs.append(msg)

		return clz


@shared_task(
	verbose_name=_('Publish the station message'),
	description=_(
		"""This task needs to be executed for sending internal messages for system alerts, 
		work orders, and other notifications"""
	)
)
def publish_task(receive_user_ids, backends_msg_mapper):
	Message.send_msg(receive_user_ids, backends_msg_mapper)


def send_dingtalk_task(message):
	# 发送到自定义的 Webhook
	import hmac, hashlib, base64, urllib.parse
	timestamp = str(round(time.time() * 1000))
	# JumpServer
	access_token = '<access token>'
	secret = '<secret>'

	# smartvision
	secret_enc = secret.encode('utf-8')
	string_to_sign = '{}\n{}'.format(timestamp, secret)
	string_to_sign_enc = string_to_sign.encode('utf-8')
	hmac_code = hmac.new(secret_enc, string_to_sign_enc, digestmod=hashlib.sha256).digest()
	sign = urllib.parse.quote_plus(base64.b64encode(hmac_code))
	form_data = {
		"msgtype": "markdown",
		"markdown": {
			"title": "JumpServer 监控报警",
			"text": message
		},
		"at": {
			"atMobiles": [
				"<mobile>"
			],
			"isAtAll": False
		}
	}
	import requests
	try:
		res = requests.post(
			url=f'https://oapi.dingtalk.com/robot/send?access_token={access_token}&timestamp={timestamp}&sign={sign}',
			json=form_data)
	except Exception as e:
		with open('/opt/error.log', 'a+') as f:
			f.write(str(e))


class Message(metaclass=MessageType):
	"""
	这里封装了什么？
		封装不同消息的模板，提供统一的发送消息的接口
		- publish 该方法的实现与消息订阅的表结构有关
		- send_msg
	"""
	message_type_label: str
	category: str
	category_label: str
	text_msg_ignore_links = True
	command = None

	@classmethod
	def get_message_type(cls):
		return cls.__name__

	def publish_async(self):
		self.publish(is_async=True)

	@classmethod
	def gen_test_msg(cls):
		raise NotImplementedError

	def publish(self, is_async=False):
		raise NotImplementedError

	def get_backend_msg_mapper(self, backends):
		backends = set(backends)
		backends.add(BACKEND.SITE_MSG)  # 站内信必须发
		backends_msg_mapper = {}
		for backend in backends:
			backend = BACKEND(backend)
			if not backend.is_enable:
				continue
			get_msg_method = getattr(self, f'get_{backend}_msg', self.get_common_msg)
			msg = get_msg_method()
			backends_msg_mapper[backend] = msg
		return backends_msg_mapper

	@staticmethod
	def send_msg(receive_user_ids, backends_msg_mapper):
		for backend, msg in backends_msg_mapper.items():
			try:
				backend = BACKEND(backend)
				client = backend.client()
				users = User.objects.filter(id__in=receive_user_ids).all()
				client.send_msg(users, **msg)
			except NotImplementedError:
				continue
			except:
				traceback.print_exc()

	@classmethod
	def send_test_msg(cls, ding=True, wecom=False):
		msg = cls.gen_test_msg()
		if not msg:
			return

		from users.models import User
		users = User.objects.filter(username='admin')
		backends = []
		if ding:
			backends.append(BACKEND.DINGTALK)
		if wecom:
			backends.append(BACKEND.WECOM)
		msg.send_msg(users, backends)

	@staticmethod
	def get_common_msg() -> dict:
		return {'subject': '', 'message': ''}

	def get_html_msg(self) -> dict:
		return self.get_common_msg()

	@staticmethod
	def html_to_markdown(html_msg):
		h = HTML2Text()
		h.body_width = 0
		content = html_msg['message']
		html_msg['message'] = h.handle(content)
		return html_msg

	def get_markdown_msg(self) -> dict:
		return self.html_to_markdown(self.get_html_msg())

	def get_text_msg(self) -> dict:
		h = HTML2Text()
		h.body_width = 90
		msg = self.get_html_msg()
		content = msg['message']
		h.ignore_links = self.text_msg_ignore_links
		msg['message'] = h.handle(content)
		return msg

	@lazyproperty
	def common_msg(self) -> dict:
		return self.get_common_msg()

	@lazyproperty
	def text_msg(self) -> dict:
		msg = self.get_text_msg()
		return msg

	@lazyproperty
	def markdown_msg(self):
		return self.get_markdown_msg()

	@lazyproperty
	def get_jumpserver_dingtalk_msg(self) -> str:
		date_str = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
		msg = f"""## <font color="#FF0000">[JumpServer 监控告警](https://jumpserver.example.com/)</font>🔥
### <font color="#FF0000">告警状态</font>：{RiskLevelChoices.get_label(self.command['risk_level'])}
### <font color="#FF0000">告警主机</font>：{self.command['asset']}
### <font color="#FF0000">目标用户</font>：{self.command['user']}
### <font color="#FF0000">输入命令</font>：`{self.command['input']}`
### <font color="#FF0000">告警详情</font>：用户 {self.command['user']} 在 {self.command['asset']} 上执行了危险命令 `{self.command['input']}`，请及时处理！
### <font color="#FF0000">触发时间</font>：{date_str}"""
		return msg

	@lazyproperty
	def html_msg(self) -> dict:
		msg = self.get_html_msg()
		return msg

	@lazyproperty
	def html_msg_with_sign(self):
		msg = self.get_html_msg()
		msg['message'] = textwrap.dedent("""
		{}
		<small>
		<br />
		—
		<br />
		{}
		</small>
		""").format(msg['message'], self.signature)
		return msg

	@lazyproperty
	def text_msg_with_sign(self):
		msg = self.get_text_msg()
		msg['message'] = textwrap.dedent("""
		{}
		—
		{}
		""").format(msg['message'], self.signature)
		return msg

	@lazyproperty
	def signature(self):
		return get_login_title()

	# --------------------------------------------------------------
	# 支持不同发送消息的方式定义自己的消息内容，比如有些支持 html 标签
	def get_dingtalk_msg(self) -> dict:
		# 钉钉相同的消息一天只能发一次，所以给所有消息添加基于时间的序号，使他们不相同
		message = self.markdown_msg['message']
		time = local_now().strftime('%Y-%m-%d %H:%M:%S')
		suffix = '\n{}: {}'.format(_('Time'), time)

		return {
			'subject': self.markdown_msg['subject'],
			'message': message + suffix
		}

	def get_wecom_msg(self) -> dict:
		return self.markdown_msg

	def get_feishu_msg(self) -> dict:
		return self.markdown_msg

	def get_lark_msg(self) -> dict:
		return self.markdown_msg

	def get_email_msg(self) -> dict:
		return self.html_msg_with_sign

	def get_site_msg_msg(self) -> dict:
		return self.html_msg

	def get_slack_msg(self) -> dict:
		return self.markdown_msg

	def get_sms_msg(self) -> dict:
		return self.text_msg_with_sign

	@classmethod
	def get_all_sub_messages(cls):
		def get_subclasses(cls):
			"""returns all subclasses of argument, cls"""
			if issubclass(cls, type):
				subclasses = cls.__subclasses__(cls)
			else:
				subclasses = cls.__subclasses__()
			for subclass in subclasses:
				subclasses.extend(get_subclasses(subclass))
			return subclasses

		messages_cls = get_subclasses(cls)
		return messages_cls

	@classmethod
	def test_all_messages(cls, ding=True, wecom=False):
		messages_cls = cls.get_all_sub_messages()

		for _cls in messages_cls:
			try:
				_cls.send_test_msg(ding=ding, wecom=wecom)
			except NotImplementedError:
				continue


class SystemMessage(Message):
	def publish(self, is_async=False):
		subscription = SystemMsgSubscription.objects.get(
			message_type=self.get_message_type()
		)

		# 只发送当前有效后端
		receive_backends = subscription.receive_backends
		receive_backends = BACKEND.filter_enable_backends(receive_backends)

		users = [
			*subscription.users.all(),
			*chain(*[g.users.all() for g in subscription.groups.all()])
		]

		receive_user_ids = [u.id for u in users]
		backends_msg_mapper = self.get_backend_msg_mapper(receive_backends)
		if is_async:
			send_dingtalk_task(self.get_jumpserver_dingtalk_msg)
			# publish_task.delay(receive_user_ids, backends_msg_mapper)
		else:
			self.send_msg(receive_user_ids, backends_msg_mapper)

	@classmethod
	def post_insert_to_db(cls, subscription: SystemMsgSubscription):
		pass

	@classmethod
	def gen_test_msg(cls):
		raise NotImplementedError


class UserMessage(Message):
	user: User

	def __init__(self, user):
		self.user = user

	def publish(self, is_async=False):
		"""
		发送消息到每个用户配置的接收方式上
		"""
		sub = UserMsgSubscription.objects.get(user=self.user)
		backends_msg_mapper = self.get_backend_msg_mapper(sub.receive_backends)
		receive_user_ids = [self.user.id]
		if is_async:
			send_dingtalk_task(self.get_jumpserver_dingtalk_msg)
			# publish_task.delay(receive_user_ids, backends_msg_mapper)
		else:
			self.send_msg(receive_user_ids, backends_msg_mapper)

	@classmethod
	def get_test_user(cls):
		from users.models import User
		return User.objects.all().first()

	@classmethod
	def gen_test_msg(cls):
		raise NotImplementedError

values.yaml

```yaml
# Default values for jumpserver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

nameOverride: ""
fullnameOverride: ""

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
## @param global.redis.password Global Redis™ password (overrides `externalRedis.password`)
##
global:
imageRegistry: docker.1ms.run
imageOwner: jumpserver
## E.g.
#  imagePullSecrets:
#  - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: ""

## Please configure your PostgreSQL server first
## Jumpserver will not start the external PostgreSQL server.
##
externalDatabase:
engine: postgresql
host: postgresql-svc.middleware.svc.cluster.local
port: 5432
user: postgres
password: "uLwHDyYr"
database: jumpserver

## Please configure your Redis server first
## Jumpserver will not start the external Redis server.
##
externalSentinel:
{}
# hosts: mymaster/localhost:26379,localhost:26380,localhost:26381
# password: ""
# socketTimeout: 5

## Sentinel or Redis one of them must be configured.

externalRedis:
host: redis-svc.middleware.svc.cluster.local
port: 6379
password: "******"

serviceAccount:
## Specifies whether a service account should be created
create: false
## The name of the service account to use.
## If not set and create is true, a name is generated using the fullname template
name:

ingress:
enabled: true
annotations:
	cert-manager.io/cluster-issuer: sencrypt-prod
	# nginx.ingress.kubernetes.io/enable-cors: "true"
	# nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, OPTIONS, PUT, DELETE"
	# nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
	# nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
	# nginx.ingress.kubernetes.io/cors-allow-origin: "*"
	# kubernetes.io/tls-acme: "true"
	kubernetes.io/ingress.class: nginx
	nginx.ingress.kubernetes.io/proxy-body-size: "4096m"
	nginx.ingress.kubernetes.io/server-snippets: |
	proxy_set_header Upgrade "websocket";
	proxy_set_header Connection "Upgrade";

hosts:
	- "jumpserver.example.com"
tls:
	- hosts:
		- jumpserver.example.com
	secretName: jumpserver.example.com

core:
enabled: true

labels:
	app.jumpserver.org/name: jms-core

config:
	## Generate a new random secret key by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
	secretKey: "TAcm23tDmN9n7cVCbgkDo6ln62qTuXYDKfLFYPFLd1y7DL5cS9"
	## Generate a new random bootstrap token by execute `cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
	bootstrapToken: "KX8k37hBbQjmKgRDR17QF7EB"
	## Enabled it for debug
	debug: false
	log:
	level: ERROR

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env:
	## See: https://docs.jumpserver.org/zh/master/admin-guide/env/#core
	SESSION_EXPIRE_AT_BROWSER_CLOSE: true
	# SESSION_COOKIE_AGE: 86400
	# SECURITY_VIEW_AUTH_NEED_MFA: true
	## Django CSRF_TRUSTED_ORIGINS need to be set to the domain name of the jumpserver (https://docs.jumpserver.org/zh/v3/installation/upgrade_notice/)
	DOMAINS: "192.168.142.56:33380"

livenessProbe:
	initialDelaySeconds: 90
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /api/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 8080

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 1000m
	#   memory: 2048Mi
	# requests:
	#   cpu: 500m
	#   memory: 1024Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 100Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

koko:
enabled: true

labels:
	app.jumpserver.org/name: jms-koko

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env:
	[]
	## See: https://docs.jumpserver.org/zh/master/admin-guide/env/#koko
	# LANGUAGE_CODE: zh
	# REUSE_CONNECTION: true
	# ENABLE_LOCAL_PORT_FORWARD: true
	# ENABLE_VSCODE_SUPPORT: true

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /koko/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	privileged: true
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 5000
	ssh:
	port: 2222

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 10Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

lion:
enabled: true

labels:
	app.jumpserver.org/name: jms-lion

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env:
	## See: https://docs.jumpserver.org/zh/master/admin-guide/env/#lion
	JUMPSERVER_ENABLE_FONT_SMOOTHING: true
	# JUMPSERVER_COLOR_DEPTH: 32
	# JUMPSERVER_ENABLE_WALLPAPER: true
	# JUMPSERVER_ENABLE_THEMING: true
	# JUMPSERVER_ENABLE_FULL_WINDOW_DRAG: true
	# JUMPSERVER_ENABLE_DESKTOP_COMPOSITION: true
	# JUMPSERVER_ENABLE_MENU_ANIMATIONS: true

livenessProbe:
	initialDelaySeconds: 90
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /lion/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 8081

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 512Mi
	# requests:
	#   cpu: 100m
	#   memory: 512Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 50Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

chen:
enabled: true

labels:
	app.jumpserver.org/name: jms-chen

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env: []

livenessProbe:
	initialDelaySeconds: 60
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /chen
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 8082

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 10Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

xpack:
enabled: false

magnus:
labels:
	app.jumpserver.org/name: jms-magnus

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env: []

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /health
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 8088
	mysql:
	port: 33061
	mariadb:
	port: 33062
	redis:
	port: 63790
	postgresql:
	port: 54320
	sqlserver:
	port: 14330
	oracle:
	ports: 30000-30100

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 512Mi
	# requests:
	#   cpu: 100m
	#   memory: 512Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 10Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

xrdp:
labels:
	app.jumpserver.org/name: jms-xrdp

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: registry.fit2cloud.com
	pullPolicy: IfNotPresent

env: []

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	tcpSocket:
	port: rdp

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	rdp:
	port: 3390

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 50Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

razor:
labels:
	app.jumpserver.org/name: jms-razor

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: registry.fit2cloud.com
	pullPolicy: IfNotPresent

env: []

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /razor/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 8084
	rdp:
	port: 3389

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 50Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

video:
labels:
	app.jumpserver.org/name: jms-video

config:
	log:
	level: ERROR

replicaCount: 1

image:
	registry: registry.fit2cloud.com
	pullPolicy: IfNotPresent

env: []

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /video-worker/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	service:
	type: ClusterIP
	web:
	port: 9000

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 50Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

web:
enabled: true

labels:
	app.jumpserver.org/name: jms-web

replicaCount: 1

image:
	registry: docker.1ms.run
	pullPolicy: IfNotPresent

env:
	# nginx client_max_body_size, default 4G
	CLIENT_MAX_BODY_SIZE: 4096m
	## See: https://github.com/jumpserver/docker-web/blob/master/init.sh#L37
	# USE_LB: 1, then nginx use 'proxy_set_header X-Forwarded-For $remote_addr'
	# USE_LB: 0, then nginx use 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for'
	USE_LB: 0

livenessProbe:
	initialDelaySeconds: 10
	failureThreshold: 3
	timeoutSeconds: 5
	httpGet:
	path: /api/health/
	port: web

podSecurityContext:
	{}
	# fsGroup: 2000

securityContext:
	{}
	# capabilities:
	#   drop:
	#   - ALL
	# readOnlyRootFilesystem: true
	# runAsNonRoot: true
	# runAsUser: 1000

service:
	type: ClusterIP
	web:
	port: 80

resources:
	{}
	## We usually recommend not to specify default resources and to leave this as a conscious
	## choice for the user. This also increases chances charts run on environments with little
	## resources, such as Minikube. If you do want to specify resources, uncomment the following
	## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
	# limits:
	#   cpu: 100m
	#   memory: 128Mi
	# requests:
	#   cpu: 100m
	#   memory: 128Mi

persistence:
	storageClassName: storage
	accessModes:
	- ReadWriteMany
	size: 1Gi
	annotations:
	"helm.sh/resource-policy": keep
	finalizers:
	- kubernetes.io/pvc-protection
	# subPath: ""
	# existingClaim: ""

volumeMounts: []

volumes: []

nodeSelector: {}

tolerations: []

affinity: {}

```

修改 core 模块

1
2
3

kubectl -n jumpserver edit deployments.apps jms-k8s-jumpserver-jms-core

# 将 image 镜像名称修改为 jumpserver/core:v4.6.1-ce

Linux防火墙工具iptables使用指南与配置详解

Tue, 03 Oct 2023 00:00:00 +0000

在Linux系统安全维护中，防火墙是保护服务器免受未授权访问的重要工具。iptables作为Linux内核的防火墙工具，提供了强大而灵活的网络流量控制机制。本文将深入剖析iptables的核心概念、配置方法及常见应用场景，帮助系统管理员构建更安全的服务器环境。

什么是iptables

iptables是Linux系统中的防火墙工具，它直接与Linux内核的netfilter模块交互，负责对网络数据包进行过滤、修改和转发。作为一个完整的防火墙框架，iptables提供了细粒度的网络流量控制能力，能够根据多种条件（如源IP地址、目标端口、协议类型等）来制定复杂的网络访问策略。

iptables的核心组件

iptables的结构基于"表"和"链"的概念：

表（Tables）：用于组织具有特定功能的规则
- filter：默认表，用于数据包过滤
- nat：用于网络地址转换
- mangle：用于特殊数据包修改
- raw：用于配置豁免连接跟踪
- security：用于强制访问控制网络规则
链（Chains）：每个表包含多个链，链定义了何时应用规则
- INPUT：处理发往本机的数据包
- OUTPUT：处理本机发出的数据包
- FORWARD：处理经过本机转发的数据包
- PREROUTING：路由前处理
- POSTROUTING：路由后处理

iptables基本操作

查看当前规则

# 查看filter表的所有规则
sudo iptables -L -v

# 查看特定表的规则
sudo iptables -t nat -L -v

添加规则

# 允许SSH连接（22端口）
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 允许已建立的连接
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 允许本地回环接口
sudo iptables -A INPUT -i lo -j ACCEPT

删除规则

# 删除第1条规则
sudo iptables -D INPUT 1

# 删除特定规则
sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

设置默认策略

# 设置INPUT链默认拒绝
sudo iptables -P INPUT DROP

# 设置OUTPUT链默认允许
sudo iptables -P OUTPUT ACCEPT

常见应用场景和配置示例

基础服务器保护配置

以下是一个基础的服务器保护配置示例，允许常见服务并默认拒绝其他连接：

# 清除现有规则
sudo iptables -F
sudo iptables -X

# 设置默认策略
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# 允许本地回环
sudo iptables -A INPUT -i lo -j ACCEPT

# 允许已建立的连接
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 允许SSH (22端口)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 允许HTTP/HTTPS (80/443端口)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# 允许ICMP (ping)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

端口转发配置

将外部80端口请求转发到内部8080端口：

# 启用IP转发
echo 1 > /proc/sys/net/ipv4/ip_forward

# 设置端口转发
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

限制连接速率

防止DoS攻击的简单配置：

1
2
3

# 限制SSH连接速率，每分钟最多3个新连接
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

禁止特定IP地址

# 封禁特定IP
sudo iptables -A INPUT -s 192.168.1.100 -j DROP

# 封禁IP段
sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP

规则持久化

iptables规则在系统重启后会丢失，需要进行持久化配置：

Debian/Ubuntu系统

# 安装iptables-persistent
sudo apt-get install iptables-persistent

# 保存当前规则
sudo netfilter-persistent save

CentOS/RHEL系统

# 保存当前规则
sudo service iptables save

# 或使用
sudo iptables-save > /etc/sysconfig/iptables

常见问题排查

规则顺序问题：iptables按顺序匹配规则，一旦匹配成功就停止。因此规则顺序至关重要。
锁定风险：添加DROP规则时需谨慎，错误配置可能导致无法远程连接服务器。建议在有物理访问权限时测试新规则。
性能考虑：过多的规则会影响网络性能，应定期清理不必要的规则。
日志记录：使用LOG目标记录被拒绝的连接，有助于排查问题：

`1`	`sudo iptables -A INPUT -j LOG --log-prefix "iptables denied: " --log-level 7`

高级功能

网络地址转换（NAT）

配置简单的NAT以共享Internet连接：

# 启用IP转发
echo 1 > /proc/sys/net/ipv4/ip_forward

# 设置源地址转换
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# 允许转发从内网接口到外网接口的流量
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

流量控制和QoS

使用iptables的mangle表标记流量，配合tc（Traffic Control）实现QoS：

1
2

# 标记SSH流量
sudo iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 1

结论

iptables是Linux系统中功能强大的防火墙工具，掌握它的使用对于服务器安全至关重要。通过合理配置iptables规则，可以有效控制网络流量、保护服务器免受未授权访问，同时实现网络地址转换等高级功能。

在实际应用中，应根据具体需求设计规则，并定期检查和更新防火墙配置。随着网络威胁不断演变，防火墙策略也应相应调整，以保持最佳安全状态。

对于更复杂的场景，可以考虑使用更高级的前端工具如ufw（Uncomplicated Firewall）或firewalld，它们在底层仍使用iptables，但提供了更友好的接口。

无论使用何种工具，理解iptables的核心概念和工作原理，都是构建安全Linux网络环境的基础。

使用 ACME 在 DNSPod 上自动配置 SSL 证书指南

Mon, 18 Sep 2023 00:00:00 +0000

Docker 部署 acme.sh

docker-compose.yml，将 DNSPod API ID 和 Key 替换为实际值。

services:
  acme-sh:
    image: neilpang/acme.sh:latest
    container_name: acme
    restart: always
    command: daemon
    environment:
      - TZ=Asia/Shanghai
      - DP_Id=******            # DNSPod API ID
      - DP_Key=**************** # DNSPod API Key
    volumes:
      - ./certs/:/acme.sh/

配置 acme.sh

# 启动 acme.sh
docker compose up -d
# 进入 acme.sh 容器
docker compose exec -it acme sh
# 设置默认 CA
acme.sh --set-default-ca --server letsencrypt

申请证书

生成证书，将 www.example.com 替换为实际域名。证书会挂载到 ./certs/ 目录下。

`1`	`acme.sh --issue --dns dns_dp -d www.example.com`

基于Docker的OpenVPN客户端与代理集成解决方案

Wed, 03 Aug 2022 00:00:00 +0000

为了解决 OpenVPN 与代理软件冲突的问题

wfg/docker-openvpn-client: OpenVPN client with killswitch and proxy servers; built on Alpine (github.com)

构建文件

Dockerfile

FROM alpine:3.17

RUN apk add --no-cache \
    bash \
    bind-tools \
    iptables \
    ip6tables \
    openvpn

COPY . /usr/local/bin

ENV KILL_SWITCH=on

ENTRYPOINT [ "entry.sh" ]

killswitch

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

iptables --insert OUTPUT \
    ! --out-interface tun0 \
    --match addrtype ! --dst-type LOCAL \
    ! --destination "$(ip -4 -oneline addr show dev eth0 | awk 'NR == 1 { print $4 }')" \
    --jump REJECT

# 创建静态路由，允许访问指定的子网
# 例如：ALLOWED_SUBNETS 在 docker-compose.yaml 中配置
default_gateway=$(ip -4 route | awk '$1 == "default" { print $3 }')
for subnet in ${1//,/ }; do
    ip route add "$subnet" via "$default_gateway"
    iptables --insert OUTPUT --destination "$subnet" --jump ACCEPT
done

# 为 OpenVPN 服务器地址打洞
# $config 是 OpenVPN 设置的：
#   “第一个 --config 文件的名称。在程序初始化时设置并在 SIGHUP 时重置。”
global_port=$(awk '$1 == "port" { print $2 }' "${config:?"config file not found by kill switch"}")
global_protocol=$(awk '$1 == "proto" { print $2 }' "${config:?"config file not found by kill switch"}")
remotes=$(awk '$1 == "remote" { print $2, $3, $4 }' "${config:?"config file not found by kill switch"}")
ip_regex='^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$'
while IFS= read -r line; do
    # 读取去除注释的行
    IFS=" " read -ra remote <<< "${line%%\#*}"
    address=${remote[0]}
    port=${remote[1]:-${global_port:-1194}}
    protocol=${remote[2]:-${global_protocol:-udp}}

    if [[ $address =~ $ip_regex ]]; then
        iptables --insert OUTPUT --destination "$address" --protocol "$protocol" --destination-port "$port" --jump ACCEPT
    else
        for ip in $(dig -4 +short "$address"); do
            iptables --insert OUTPUT --destination "$ip" --protocol "$protocol" --destination-port "$port" --jump ACCEPT
            echo "$ip $address" >> /etc/hosts
        done
    fi
done <<< "$remotes"

entry.sh

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

cleanup() {
    kill TERM "$openvpn_pid"
    exit 0
}

is_enabled() {
    [[ ${1,,} =~ ^(true|t|yes|y|1|on|enable|enabled)$ ]]
}

# Either a specific file name or a pattern.
if [[ $CONFIG_FILE ]]; then
    config_file=$(find /config -name "$CONFIG_FILE" 2> /dev/null | sort | shuf -n 1)
else
    config_file=$(find /config -name '*.conf' -o -name '*.ovpn' 2> /dev/null | sort | shuf -n 1)
fi

if [[ -z $config_file ]]; then
    echo "no openvpn configuration file found" >&2
    exit 1
fi

echo "using openvpn configuration file: $config_file"


openvpn_args=(
    "--config" "$config_file"
    "--cd" "/config"
)

if is_enabled "$KILL_SWITCH"; then
    openvpn_args+=("--route-up" "/usr/local/bin/killswitch.sh $ALLOWED_SUBNETS")
fi

# Docker secret that contains the credentials for accessing the VPN.
if [[ $AUTH_SECRET ]]; then
    openvpn_args+=("--auth-user-pass" "/run/secrets/$AUTH_SECRET")
fi

openvpn "${openvpn_args[@]}" &
openvpn_pid=$!

trap cleanup TERM

wait $openvpn_pid

构建和启动

docker-compose.yaml

公网镜像：ghcr.io/wfg/openvpn-client
构建镜像：

`1`	`docker compose build`

启动

`1`	`docker compose up -d`

services:
  openvpn-client:
    image: openvpn-client:latest  # ghcr.io/wfg/openvpn-client
    build:
      context: ./
      dockerfile: Dockerfile
    container_name: openvpn-client
    cap_add:
      - NET_ADMIN
    environment:
      # - HTTP_PROXY=on
      - SOCKS_PROXY=on
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./local:/config
      - ./local:/data/vpn
    ports:
      # - 8080:8080  # HTTP_PROXY port
      - 1080:1080  # SOCKS_PROXY port
    restart: unless-stopped

结合代理软件使用

使用 Clash 软件中的 规则配置 分流策略

proxies:
	- { name: OpenVPN, server: 127.0.0.1, port: 1080, type: socks5 }

rules:
	- IP-CIDR,192.168.142.0/24,OpenVPN
	- IP-CIDR,10.10.10.0/24,OpenVPN
	- IP-CIDR,172.16.0.0/24,OpenVPN

其他

除了 OpenVPN，还可以将 EasyConnect 等校园网 VPN （访问知网免费）经常使用的代理软件客户端部署到 Docker 中，并暴露 HTTP 或者 Socks ，并配置分流规则，达到优雅的访问其他网络环境的效果。

1
2

    - { name: 'CNKI', type: socks5, server: 10.10.10.45, port: 57080}
    - 'DOMAIN-SUFFIX,cnki.net,CNKI'