反向代理
“反向代理 JumpServer 要求说明”
- rdp 协议复制粘贴需要部署可信任的 ssl 证书。- 通过 https 协议访问就能在 rdp 资产里面使用复制粘贴。- 遵循 [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/){:target="_blank"} 建议。
1 Nginx SSL 部署
“请准备好 ssl 证书 (注意需要使用 pem 格式证书)”
- 将证书放到 /opt/jumpserver/config/nginx/cert 里面。- 修改配置文件前需要先关闭 JumpServer 服务。
```sh# 关闭 JumpServer 服务./jmsctl.sh stop``````sh# 编辑 JumpServer 主配置文件vi /opt/jumpserver/config/config.txt``````vim...## Nginx 配置HTTP_PORT=80SSH_PORT=2222RDP_PORT=3389## HTTPS 配置HTTPS_PORT=443 # 对外 https 端口, 默认 443SERVER_NAME=www.domain.com # 你的 https 域名SSL_CERTIFICATE=xxx.pem # /opt/jumpserver/config/nginx/cert 目录下你的证书文件SSL_CERTIFICATE_KEY=xxx.key # /opt/jumpserver/config/nginx/cert 目录下你的 key 文件``````sh# 启动 JumpServer 服务./jmsctl.sh start```
“如果需要自定义 Nginx 配置文件, 可以参考此处”
```shvi /opt/jumpserver/config/nginx/lb_http_server.conf``````nginx hl_lines="10 16 18-19 25 29"# Todo: May be can auto discoveryupstream http_server {sticky name=jms_route;server web:80;# server HOST2:80; # 多节点}
server {listen 80;server_name demo.jumpserver.org; # 自行修改成你自己的域名return 301 https://$server_name$request_uri;}server {listen 443 ssl http2;server_name demo.jumpserver.org; # 自行修改成你自己的域名server_tokens off;ssl_certificate cert/server.crt; # 修改 server.crt 为你的证书 (pem, crt 格式均可), 不要改路径 certs/ssl_certificate_key cert/server.key; # 修改 server.crt 为你的证书密钥文件, 不要改路径 certs/ssl_session_timeout 1d;ssl_session_cache shared:MozSSL:10m;ssl_session_tickets off;ssl_protocols TLSv1.1 TLSv1.2;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;add_header Strict-Transport-Security "max-age=63072000" always;client_max_body_size 5000m; # 上传文件大小限制location / {proxy_pass http://http_server;proxy_buffering off;proxy_request_buffering off;proxy_http_version 1.1;proxy_set_header Host $host;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection $http_connection;proxy_set_header X-Forwarded-For $remote_addr;proxy_ignore_client_abort on;proxy_connect_timeout 600;proxy_send_timeout 600;proxy_read_timeout 600;send_timeout 6000;}}```
2 多层 Nginx 反向代理
“提示”
- 适合上层还有统一对外出口的反向代理服务器- 属于多层 nginx 反向代理- 每一层都需要设置 websocket 长连接
```sh# 编辑配置文件vi /etc/nginx/conf.d/jumpserver.conf``````vim hl_lines="4 6 10"server {listen 80;server_name demo.jumpserver.org; # 自行修改成你的域名client_max_body_size 4096m; # 上传文件大小限制location / {# 这里的 ip 是后端 JumpServer nginx 的 ipproxy_pass http://192.168.244.144;proxy_http_version 1.1;proxy_buffering off;proxy_request_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header Host $host;proxy_set_header X-Forwarded-For $remote_addr;}}```
“推荐部署 ssl 使用更安全的 https 协议访问”
- 遵循 [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/) 建议。
```vim hl_lines="3 8-10 13 18 21"server {listen 80;server_name demo.jumpserver.org; # 自行修改成你的域名return 301 https://$server_name$request_uri;}server {listen 443 ssl http2;server_name demo.jumpserver.org; # 自行修改成你的域名ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # 自行设置证书ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # 自行设置证书ssl_session_timeout 1d;ssl_session_cache shared:MozSSL:10m;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;ssl_protocols TLSv1.1 TLSv1.2;add_header Strict-Transport-Security "max-age=63072000" always;client_max_body_size 4096m; # 录像及文件上传大小限制location / {# 这里的 ip 是后端 JumpServer nginx 的 ipproxy_pass http://192.168.244.144;proxy_http_version 1.1;proxy_buffering off;proxy_request_buffering off;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header Host $host;proxy_set_header X-Forwarded-For $remote_addr;}}```
3 其他 SLB
“提示”
- 需要注意 websocket 长连接设置即可。- 需要注意 session 问题。
若有收获,就点个赞吧
0 人点赞
