{"id":12174,"date":"2025-02-15T21:46:45","date_gmt":"2025-02-16T05:46:45","guid":{"rendered":"https:\/\/www.xh86.me\/?p=12174"},"modified":"2025-02-15T21:46:45","modified_gmt":"2025-02-16T05:46:45","slug":"teleport-%e5%ae%89%e8%a3%85%e8%ae%b0%e5%bd%95","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=12174","title":{"rendered":"TelePort \u5b89\u88c5\u8bb0\u5f55"},"content":{"rendered":"<header>\n<h1>Run a Self-Hosted Demo Cluster<\/h1>\n<\/header>\n<p>See how a self-hosted Teleport deployment works by completing the tutorial below. This shows you how to spin up a single-instance Teleport cluster on a Linux server using Teleport Community Edition. Once you deploy the cluster, you can configure RBAC, register resources, and protect your small-scale demo environments or home lab.<\/p>\n<p><span class=\"\"><button class=\"zoomable_NWXO\"><img loading=\"lazy\" decoding=\"async\" class=\"img_CujE\" src=\"https:\/\/goteleport.com\/docs\/assets\/images\/linux-server-diagram-35d15e24d58c3944042cf2d9c984d77f.png\" alt=\"Architecture of the setup you will complete in this\nguide\" width=\"1666\" height=\"602\" \/><\/button><\/span><\/p>\n<p>We will run the following Teleport services:<\/p>\n<ul>\n<li><strong>Teleport Auth Service:<\/strong>\u00a0The certificate authority for your cluster. It issues certificates and conducts authentication challenges. The Auth Service is typically inaccessible outside your private network.<\/li>\n<li><strong>Teleport Proxy Service:<\/strong>\u00a0The cluster frontend, which handles user requests, forwards user credentials to the Auth Service, and communicates with Teleport instances that enable access to specific resources in your infrastructure.<\/li>\n<li><strong>Teleport SSH Service:<\/strong>\u00a0An SSH server implementation that takes advantage of Teleport&#8217;s short-lived certificates, sophisticated RBAC, session recording, and other features.<\/li>\n<\/ul>\n<h2 id=\"step-14-configure-dns\" class=\"anchor anchorWithStickyNavbar_LWe7\">Step 1\/4. Configure DNS<a class=\"hash-link\" title=\"Direct link to Step 1\/4. Configure DNS\" href=\"https:\/\/goteleport.com\/docs\/admin-guides\/deploy-a-cluster\/linux-demo\/#step-14-configure-dns\" aria-label=\"Direct link to Step 1\/4. Configure DNS\">\u200b<\/a><\/h2>\n<p>Teleport uses TLS to provide secure access to its Proxy Service and Auth Service, and this requires a domain name that clients can use to verify Teleport&#8217;s certificate. Set up two DNS\u00a0<code class=\"wrapper_7jnR\">A<\/code>\u00a0records, each pointing to the IP address of your Linux host. Assuming\u00a0<code class=\"wrapper_7jnR\">teleport.example.com<\/code>\u00a0is your domain name, set up records for:<\/p>\n<table>\n<thead>\n<tr>\n<th>Domain<\/th>\n<th>Reason<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code class=\"wrapper_7jnR\">teleport.example.com<\/code><\/td>\n<td>Traffic to the Proxy Service from users and services.<\/td>\n<\/tr>\n<tr>\n<td><code class=\"wrapper_7jnR\">*.teleport.example.com<\/code><\/td>\n<td>Traffic to web applications registered with Teleport. Teleport issues a subdomain of your cluster&#8217;s domain name to each application.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"step-24-set-up-teleport-on-your-linux-host\" class=\"anchor anchorWithStickyNavbar_LWe7\">Step 2\/4. Set up Teleport on your Linux host<a class=\"hash-link\" title=\"Direct link to Step 2\/4. Set up Teleport on your Linux host\" href=\"https:\/\/goteleport.com\/docs\/admin-guides\/deploy-a-cluster\/linux-demo\/#step-24-set-up-teleport-on-your-linux-host\" aria-label=\"Direct link to Step 2\/4. Set up Teleport on your Linux host\">\u200b<\/a><\/h2>\n<h3 id=\"install-teleport\" class=\"anchor anchorWithStickyNavbar_LWe7\">Install Teleport<a class=\"hash-link\" title=\"Direct link to Install Teleport\" href=\"https:\/\/goteleport.com\/docs\/admin-guides\/deploy-a-cluster\/linux-demo\/#install-teleport\" aria-label=\"Direct link to Install Teleport\">\u200b<\/a><\/h3>\n<p>On your Linux host, run the following command to install the Teleport binary:<\/p>\n<div class=\"wrapper_NCMp wrapper_SbCJ\">\n<div>\n<div class=\"scroll_mw0A\">\n<div class=\"command_pMU9\"><span class=\"line_AfHy\" data-content=\"$ \">curl https:\/\/cdn.teleport.dev\/install-v17.2.7.sh | bash -s 17.2.7<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<h3 id=\"configure-teleport\" class=\"anchor anchorWithStickyNavbar_LWe7\">Configure Teleport\u200b<\/h3>\n<div class=\"tabs-container tabList__CuJ\">\n<div class=\"margin-top--md\">\n<div class=\"tabItem_Ymn6\" role=\"tabpanel\">\n<div class=\"wrapper_NCMp wrapper_SbCJ\">\n<div>\n<div class=\"scroll_mw0A\">\n<div class=\"command_pMU9\"><span class=\"line_AfHy\" data-content=\"$ \">sudo teleport configure -o file \\<\/span><span class=\"line_AfHy\"> &#8211;acme &#8211;acme-email=<span class=\"wrapper-input wrapper_B3Cm\"><span class=\"fake-field_l9Rh\">user@example.com<\/span><\/span> \\<\/span><span class=\"line_AfHy\"> &#8211;cluster-name=<span class=\"wrapper-input wrapper_B3Cm\"><span class=\"fake-field_l9Rh\">tele.example.com<\/span><\/span><\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Port 443 on your Teleport Proxy Service host must allow traffic from all sources.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<h3 id=\"start-teleport\" class=\"anchor anchorWithStickyNavbar_LWe7\">Start Teleport\u200b<\/h3>\n<div class=\"tabs-container tabList__CuJ\">\n<div class=\"margin-top--md\">\n<div class=\"tabItem_Ymn6\" role=\"tabpanel\">\n<div class=\"wrapper_NCMp wrapper_SbCJ\">\n<div>\n<div class=\"scroll_mw0A\">\n<div class=\"command_pMU9\"><span class=\"line_AfHy\" data-content=\"$ \">sudo systemctl enable teleport<\/span><\/div>\n<div class=\"command_pMU9\"><span class=\"line_AfHy\" data-content=\"$ \">sudo systemctl start teleport<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>You can check the status of your Teleport instance with\u00a0<code class=\"wrapper_7jnR\">systemctl status teleport<\/code>\u00a0and view its logs with\u00a0<code class=\"wrapper_7jnR\">journalctl -fu teleport<\/code>.<\/p>\n<p>Access Teleport&#8217;s Web UI via HTTPS at the domain you created earlier (e.g.,\u00a0<code class=\"wrapper_7jnR\">https:\/\/teleport.example.com<\/code>). You should see a welcome screen similar to the following:<\/p>\n<p><span class=\"\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/goteleport.com\/docs\/assets\/images\/welcome-a3391a50d2ab27f5a4264dd683727563.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" class=\"img_CujE\" data-original=\"https:\/\/goteleport.com\/docs\/assets\/images\/welcome-a3391a50d2ab27f5a4264dd683727563.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Teleport Welcome Screen\" width=\"524\" height=\"839\" \/><\/div><\/span><\/p>\n<h2 id=\"step-34-create-a-teleport-user-and-set-up-multi-factor-authentication\" class=\"anchor anchorWithStickyNavbar_LWe7\">Step 3\/4. Create a Teleport user and set up multi-factor authentication<a class=\"hash-link\" title=\"Direct link to Step 3\/4. Create a Teleport user and set up multi-factor authentication\" href=\"https:\/\/goteleport.com\/docs\/admin-guides\/deploy-a-cluster\/linux-demo\/#step-34-create-a-teleport-user-and-set-up-multi-factor-authentication\" aria-label=\"Direct link to Step 3\/4. Create a Teleport user and set up multi-factor authentication\">\u200b<\/a><\/h2>\n<p>In this step, we&#8217;ll create a new Teleport user,\u00a0<code class=\"wrapper_7jnR\">teleport-admin<\/code>, which is allowed to log into SSH hosts as any of the principals\u00a0<code class=\"wrapper_7jnR\">root<\/code>,\u00a0<code class=\"wrapper_7jnR\">ubuntu<\/code>, or\u00a0<code class=\"wrapper_7jnR\">ec2-user<\/code>.<\/p>\n<p>On your Linux host, run the following command:<\/p>\n<div class=\"wrapper_NCMp wrapper_SbCJ\">\n<div>\n<div class=\"scroll_mw0A\">\n<p class=\"comment_Eyxe\" data-type=\"descr\">tctl is an administrative tool that is used to configure Teleport&#8217;s auth service.<\/p>\n<div class=\"command_pMU9\"><span class=\"line_AfHy\" data-content=\"$ \">sudo tctl users add teleport-admin &#8211;roles=editor,access &#8211;logins=root,ubuntu,ec2-user<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The command prints a message similar to the following:<\/p>\n<div class=\"wrapper_NCMp\">\n<div>\n<pre class=\"wrapper_qf3F code_MI1E\"><code class=\"hljs language-text\">User \"teleport-admin\" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:\r\nhttps:\/\/teleport.example.com:443\/web\/invite\/123abc456def789ghi123abc456def78\r\n\r\nNOTE: Make sure teleport.example.com:443 points at a Teleport proxy which users can access.\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>Visit the provided URL in order to create your Teleport user.<\/p>\n<div class=\"theme-admonition theme-admonition-tip admonition_xJq3 alert alert--success\"><\/div>\n<h2 id=\"step-44-enroll-your-infrastructure\" class=\"anchor anchorWithStickyNavbar_LWe7\">Step 4\/4. Enroll your infrastructure<a class=\"hash-link\" title=\"Direct link to Step 4\/4. Enroll your infrastructure\" href=\"https:\/\/goteleport.com\/docs\/admin-guides\/deploy-a-cluster\/linux-demo\/#step-44-enroll-your-infrastructure\" aria-label=\"Direct link to Step 4\/4. Enroll your infrastructure\">\u200b<\/a><\/h2>\n<p>With Teleport, you can protect all of the resources in your infrastructure behind a single identity-aware access proxy, including servers, databases, applications, Kubernetes clusters, Windows desktops, and cloud provider APIs.<\/p>\n<p>To enroll a resource with Teleport, visit the Web UI and click\u00a0<strong>Enroll New Resource<\/strong>. The Web UI will show you the steps you can take to enroll your new resource.<\/p>\n<p><span class=\"\"><button class=\"zoomable_NWXO\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/goteleport.com\/docs\/assets\/images\/add-resources-5e150c9bb21643a87a27cba8107a3a07.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" class=\"img_CujE\" data-original=\"https:\/\/goteleport.com\/docs\/assets\/images\/add-resources-5e150c9bb21643a87a27cba8107a3a07.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Adding resources\" width=\"2306\" height=\"1053\" \/><\/div><\/button><\/span><\/p>\n<p>On the home page of the Web UI, you can see that you have already enrolled your Linux server.<\/p>\n<p>my <span class=\"s1\">\/etc\/teleport.yaml<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">version: v3<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">teleport:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>nodename: TelePort<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>data_dir: \/var\/lib\/teleport<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>log:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>output: stderr<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>severity: INFO<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>format:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 <\/span>output: text<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>ca_pin: &#8220;&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>diag_addr: &#8220;&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">auth_service:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>enabled: &#8220;yes&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>listen_addr: 0.0.0.0:3025<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>cluster_name: teleport.XXXXX.net<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>proxy_listener_mode: multiplex<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">ssh_service:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>enabled: &#8220;yes&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">proxy_service:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>enabled: &#8220;yes&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>web_listen_addr: 0.0.0.0:443<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>public_addr: teleport.XXXXX.net:443<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>https_keypairs: <\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>&#8211; key_file: \/etc\/letsencrypt\/live\/XXXXX\/privkey.pem<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 \u00a0 <\/span>cert_file: \/etc\/letsencrypt\/live\/XXXXX\/fullchain.pem<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>https_keypairs_reload_interval: 0s<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 <\/span>acme:<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>enabled: &#8220;yes&#8221;<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><span class=\"Apple-converted-space\">\u00a0 \u00a0 <\/span>email: XXXXXX<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3>\u751f\u6210\u6216\u83b7\u53d6 SSL \u8bc1\u4e66<\/h3>\n<p>\u60a8\u53ef\u4ee5\u9009\u62e9\u4f7f\u7528 Let&#8217;s Encrypt \u83b7\u53d6\u53d7\u4fe1\u4efb\u7684\u514d\u8d39 SSL \u8bc1\u4e66\uff0c\u6216\u751f\u6210\u81ea\u7b7e\u540d\u8bc1\u4e66\u3002<\/p>\n<p>\u4f7f\u7528 Let&#8217;s Encrypt \u83b7\u53d6\u514d\u8d39 SSL \u8bc1\u4e66\uff1a<\/p>\n<ol>\n<li>\u5b89\u88c5 Certbot\uff1a\n<pre>sudo apt update\r\nsudo apt install certbot\r\n<\/pre>\n<\/li>\n<li>\u83b7\u53d6\u8bc1\u4e66\uff1a\n<pre>sudo certbot certonly --standalone -d your-domain.com\r\n<\/pre>\n<p>\u6b64\u547d\u4ee4\u5c06\u5728 \/etc\/letsencrypt\/live\/your-domain.com\/ \u76ee\u5f55\u4e0b\u751f\u6210\u8bc1\u4e66\u6587\u4ef6\u3002<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Run a Self-Hosted Demo Cluster See how a self-hosted Te [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,3],"tags":[],"class_list":["post-12174","post","type-post","status-publish","format-standard","hentry","category-linux","category-system"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12174"}],"version-history":[{"count":2,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12174\/revisions"}],"predecessor-version":[{"id":12187,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12174\/revisions\/12187"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}