1+ < ?xml version="1.0" encoding="UTF-8" standalone="no"?>
2+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> < html xmlns ="http://www.w3.org/1999/xhtml "> < head > < meta http-equiv ="Content-Type " content ="text/html; charset=UTF-8 " /> < title > 3.5. 堡垒机</ title > < link rel ="stylesheet " type ="text/css " href ="../docbook.css " /> < meta name ="generator " content ="DocBook XSL Stylesheets Vsnapshot " /> < link rel ="home " href ="../index.html " title ="Netkiller Architect 手札 " /> < link rel ="up " href ="ch03.html " title ="第 3 章 阿里云 " /> < link rel ="prev " href ="瓶颈分析.html " title ="3.4. 瓶颈分析 " /> < link rel ="next " href ="../database/index.html " title ="第 4 章 数据库设计 " /> </ head > < body > < a xmlns ="" href ="//www.netkiller.cn/ "> Home</ a > |
3+ < a xmlns ="" href ="//netkiller.github.io/ "> 简体中文</ a > |
4+ < a xmlns ="" href ="http://netkiller.sourceforge.net/ "> 繁体中文</ a > |
5+ < a xmlns ="" href ="/journal/index.html "> 杂文</ a > |
6+ < a xmlns ="" href ="https://zhuanlan.zhihu.com/netkiller "> 知乎专栏</ a > |
7+ < a xmlns ="" href ="https://edu.51cto.com/lecturer/1703915.html "> 51CTO学院</ a > |
8+ < a xmlns ="" href ="https://edu.csdn.net/lecturer/6423 "> CSDN程序员研修院</ a > |
9+ < a xmlns ="" href ="https://github.com/netkiller "> Github</ a > |
10+ < a xmlns ="" href ="http://my.oschina.net/neochen/ "> OSChina 博客</ a > |
11+ < a xmlns ="" href ="https://cloud.tencent.com/developer/column/2078 "> 腾讯云社区</ a > |
12+ < a xmlns ="" href ="https://yq.aliyun.com/u/netkiller/ "> 阿里云栖社区</ a > |
13+ < a xmlns ="" href ="https://www.facebook.com/bg7nyt "> Facebook</ a > |
14+ < a xmlns ="" href ="http://cn.linkedin.com/in/netkiller/ "> Linkedin</ a > |
15+ < a xmlns ="" href ="https://www.youtube.com/user/bg7nyt/videos "> Youtube</ a > |
16+ < a xmlns ="" href ="//www.netkiller.cn/home/donations.html "> 打赏(Donations)</ a > |
17+ < a xmlns ="" href ="//www.netkiller.cn/home/about.html "> About</ a > < div class ="navheader "> < table width ="100% " summary ="Navigation header "> < tr > < th colspan ="3 " align ="center "> 3.5. 堡垒机</ th > </ tr > < tr > < td width ="20% " align ="left "> < a accesskey ="p " href ="瓶颈分析.html "> 上一页</ a > </ td > < th width ="60% " align ="center "> 第 3 章 阿里云</ th > < td width ="20% " align ="right "> < a accesskey ="n " href ="../database/index.html "> 下一页</ a > </ td > </ tr > </ table > < hr /> </ div > < table xmlns =""> < tr > < td > < iframe src ="//ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=watch&count=true&size=large " height ="30 " width ="170 " frameborder ="0 " scrolling ="0 " style ="width:170px; height: 30px; " allowTransparency ="true "> </ iframe > </ td > < td > < iframe src ="//ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=fork&count=true&size=large " height ="30 " width ="170 " frameborder ="0 " scrolling ="0 " style ="width:170px; height: 30px; " allowTransparency ="true "> </ iframe > </ td > < td > < iframe src ="//ghbtns.com/github-btn.html?user=netkiller&type=follow&count=true&size=large " height ="30 " width ="240 " frameborder ="0 " scrolling ="0 " style ="width:240px; height: 30px; " allowTransparency ="true "> </ iframe > </ td > < td > </ td > < td > < a href ="https://zhuanlan.zhihu.com/netkiller "> < img src ="/images/logo/zhihu-card-default.svg " height ="25 " /> </ a > </ td > < td valign ="middle "> < a href ="https://zhuanlan.zhihu.com/netkiller "> 知乎专栏</ a > | < a href ="https://www.zhihu.com/club/1241768772601950208 "> 多维度架构</ a > </ td > < td > </ td > < td > </ td > < td > </ td > < td > </ td > </ tr > </ table > < div class ="section "> < div class ="titlepage "> < div > < div > < h2 class ="title " style ="clear: both "> < a id ="bastionhost "> </ a > 3.5. 堡垒机</ h2 > </ div > </ div > </ div >
18+
19+ < div class ="section "> < div class ="titlepage "> < div > < div > < h3 class ="title "> < a id ="idm359431228480 "> </ a > 3.5.1. 数据库查询需求解决方案</ h3 > </ div > </ div > </ div >
20+
21+ < div class ="section "> < div class ="titlepage "> < div > < div > < h4 class ="title "> < a id ="idm359431227712 "> </ a > 3.5.1.1. 背景和需求</ h4 > </ div > </ div > </ div >
22+
23+ < p > 部分小组有数据库查询,频次较高,Yearning 平台无法满足需求。目前方式是阿里云RDS挂载公网IP,暴漏3306查询</ p >
24+ < p > 需求:实现谁,什么时间,做了什么操作。</ p >
25+ </ div >
26+ < div class ="section "> < div class ="titlepage "> < div > < div > < h4 class ="title "> < a id ="idm359431225760 "> </ a > 3.5.1.2. 方案选型</ h4 > </ div > </ div > </ div >
27+
28+ < p > 方案一、无影云桌面</ p >
29+ < p > 方案二、堡垒机+远程桌面+视频录屏+操作留痕</ p >
30+ < p > 经过对比两个方案,无影云桌面只能登录一个用户,当有一个用户登录后,其他用户会出现获取 token 失败提示。如果有多用户需求需要使用桌面组,即每登录一个用户就会开启一个实例,成本较高。</ p >
31+ < p > 最终我们选择堡垒机+ECS Windows Server 的方案,windows server 支持多用户。</ p >
32+ </ div >
33+ </ div >
34+
35+ < div class ="section "> < div class ="titlepage "> < div > < div > < h3 class ="title "> < a id ="idm359431222880 "> </ a > 3.5.2. 解决方案</ h3 > </ div > </ div > </ div >
36+
37+ < div class ="screenshot ">
38+
39+ < div > < img src ="/architect/images/aliyun/bastionhost/%E5%A0%A1%E5%9E%92%E6%9C%BA%E6%96%B9%E6%A1%88.png " /> </ div >
40+ </ div >
41+
42+ < div class ="orderedlist "> < p class ="title "> < strong > 优点:</ strong > </ p > < ol class ="orderedlist " type ="1 "> < li class ="listitem "> 堡垒机可以录屏,可以看到整个操作期间的过程,便于事故复盘和追责</ li > < li class ="listitem "> 经过堡垒机后 RDS 再无挂载公网IP的需求,直接内网链接 RDS 从库,这种方案更安全,RDS彻底摆脱暴力3306端口的风险</ li > < li class ="listitem "> 三层登录保障,第一层堡垒机,第二层云桌面,如果在家中访问云桌面,还需要登录到公司VPN</ li > </ ol > </ div >
43+ < div class ="orderedlist "> < p class ="title "> < strong > 缺点:</ strong > </ p > < ol class ="orderedlist " type ="1 "> < li class ="listitem "> 产生费用</ li > < li class ="listitem "> 远程操作稍复杂</ li > < li class ="listitem "> 下载数据需要中转</ li > </ ol > </ div >
44+ </ div >
45+ < div class ="section "> < div class ="titlepage "> < div > < div > < h3 class ="title "> < a id ="idm359431215504 "> </ a > 3.5.3. 方案实施</ h3 > </ div > </ div > </ div >
46+
47+ < div class ="orderedlist "> < p class ="title "> < strong > 实施方案步骤:</ strong > </ p > < ol class ="orderedlist " type ="1 "> < li class ="listitem "> 卸载阿里云RDS数据库公网IP(需要评估影响范围)</ li > < li class ="listitem "> 准备一个云桌面Windows</ li > < li class ="listitem "> 设置内网访问策略,允许云桌面从内网链接到指定从库</ li > < li class ="listitem "> 堡垒机开通链接云桌面权限</ li > < li class ="listitem "> 云桌面开通登录账号</ li > < li class ="listitem "> 本地首先登录堡垒机,需要手机号+验证码。然后通过堡垒机链接远程桌面,再登录云桌面的账号。在远程电脑上,大家可以根据自己喜好安装工具,最后从内网访问 RDS 从库查询数据。操作过程会录屏。</ li > </ ol > </ div >
48+ </ div >
49+ </ div > < div xmlns ="" id ="SOHUCS "> </ div > < script xmlns ="" charset ="utf-8 " type ="text/javascript " src ="https://cy-cdn.kuaizhan.com/upload/changyan.js "> </ script > < script xmlns ="" type ="text/javascript ">
50+ window . changyan . api . config ( {
51+ appid : 'cyvwjQUG3' ,
52+ conf : 'prod_ef966242df3d8b5acb1e0ee9fc01cafe'
53+ } ) ;
54+ </ script > < script xmlns ="" type ="text/javascript " id ="clustrmaps " src ="//cdn.clustrmaps.com/map_v2.js?u=r5HG&d=9mi5r_kkDC8uxG8HuY3p4-2qgeeVypAK9vMD-2P6BYM "> </ script > < div class ="navfooter "> < hr /> < table width ="100% " summary ="Navigation footer "> < tr > < td width ="40% " align ="left "> < a accesskey ="p " href ="瓶颈分析.html "> 上一页</ a > </ td > < td width ="20% " align ="center "> < a accesskey ="u " href ="ch03.html "> 上一级</ a > </ td > < td width ="40% " align ="right "> < a accesskey ="n " href ="../database/index.html "> 下一页</ a > </ td > </ tr > < tr > < td width ="40% " align ="left " valign ="top "> 3.4. 瓶颈分析 </ td > < td width ="20% " align ="center "> < a accesskey ="h " href ="../index.html "> 起始页</ a > </ td > < td width ="40% " align ="right " valign ="top "> 第 4 章 数据库设计</ td > </ tr > </ table > </ div > < script xmlns ="">
55+ ( function ( i , s , o , g , r , a , m ) { i [ 'GoogleAnalyticsObject' ] = r ; i [ r ] = i [ r ] || function ( ) {
56+ ( i [ r ] . q = i [ r ] . q || [ ] ) . push ( arguments ) } , i [ r ] . l = 1 * new Date ( ) ; a = s . createElement ( o ) ,
57+ m = s . getElementsByTagName ( o ) [ 0 ] ; a . async = 1 ; a . src = g ; m . parentNode . insertBefore ( a , m )
58+ } ) ( window , document , 'script' , '//www.google-analytics.com/analytics.js' , 'ga' ) ;
59+
60+ ga ( 'create' , 'UA-11694057-1' , 'auto' ) ;
61+ ga ( 'send' , 'pageview' ) ;
62+
63+ </ script > < script xmlns ="" async ="async ">
64+ var _hmt = _hmt || [ ] ;
65+ ( function ( ) {
66+ var hm = document . createElement ( "script" ) ;
67+ hm . src = "https://hm.baidu.com/hm.js?93967759a51cda79e49bf4e34d0b0f2c" ;
68+ var s = document . getElementsByTagName ( "script" ) [ 0 ] ;
69+ s . parentNode . insertBefore ( hm , s ) ;
70+ } ) ( ) ;
71+ </ script > < script xmlns ="" async ="async ">
72+ ( function ( ) {
73+ var bp = document . createElement ( 'script' ) ;
74+ var curProtocol = window . location . protocol . split ( ':' ) [ 0 ] ;
75+ if ( curProtocol === 'https' ) {
76+ bp . src = 'https://zz.bdstatic.com/linksubmit/push.js' ;
77+ }
78+ else {
79+ bp . src = 'http://push.zhanzhang.baidu.com/push.js' ;
80+ }
81+ var s = document . getElementsByTagName ( "script" ) [ 0 ] ;
82+ s . parentNode . insertBefore ( bp , s ) ;
83+ } ) ( ) ;
84+ </ script > </ body > </ html >
0 commit comments