反向代理

    • rdp 协议复制粘贴需要部署可信任的 ssl 证书
    • 通过 https 协议访问就能在 rdp 资产里面使用复制粘贴
    • 遵循 Mozilla SSL Configuration Generator 建议
    • 将证书放到 /opt/jumpserver/config/nginx/cert 里面
    3. ## Nginx 配置,这个 Nginx 是用来分发路径到不同的服务
    4. HTTP_PORT=8080
    5. HTTPS_PORT=8443
    6. SSH_PORT=2222
    8. ## LB 配置, 这个 Nginx 是 HA 时可以启动负载均衡到不同的主机
    9. USE_LB=1                   # 启用 LB
    10. LB_HTTP_PORT=80            # 启用 80   端口(http)
    11. LB_HTTPS_PORT=443          # 启用 443  端口(https)
    12. LB_SSH_PORT=2223           # 启用 2223 端口(ssh)
    1. # Todo: May be can auto discovery
    2. upstream http_server {
    3.   sticky name=jms_route;
    4.   server nginx:80;
    5.   # server HOST2:8080;  # 多节点
    6. }
    8. server {
    9.   listen 80;
    10.   server_name demo.jumpserver.org;  # 自行修改成你自己的域名
    11.   return 301 https://$server_name$request_uri;
    12. }
    14. server {
    15.   listen 443 ssl;
    16.   server_tokens off;
    17.   ssl_certificate cert/server.crt;      # 修改成你自己的证书
    19.   ssl_session_timeout 1d;
    20.   ssl_session_cache shared:MozSSL:10m;
    21.   ssl_session_tickets off;
    22.   ssl_protocols TLSv1.1 TLSv1.2;
    24.   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    25.   ssl_prefer_server_ciphers off;
    26.   add_header Strict-Transport-Security "max-age=63072000" always;
    28.   client_max_body_size 5000m;  # 上传文件大小限制
    30.   location / {
    31.     proxy_pass http://http_server;
    32.     proxy_buffering off;
    33.     proxy_request_buffering off;
    34.     proxy_http_version 1.1;
    35.     proxy_set_header Host $host;
    36.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    37.     proxy_set_header Upgrade $http_upgrade;
    38.     proxy_set_header Connection $http_connection;
    40.     proxy_ignore_client_abort on;
    41.     proxy_connect_timeout 600;
    42.     proxy_send_timeout 600;
    43.     proxy_read_timeout 600;
    44.     send_timeout 6000;
    45.   }
    46. }
    • 适合上层还有统一对外出口的反向代理服务器
    • 属于多层 nginx 反向代理
    • 每一层都需要设置 websocket 长连接
      • 遵循 建议
      2.     listen 80;
      3.     server_name demo.jumpserver.org;  # 自行修改成你的域名
      4.     return 301 https://$server_name$request_uri;
      5. }
      6. server {
      7.     listen 443 ssl;
      8.     server_name          demo.jumpserver.org;  # 自行修改成你的域名
      9.     ssl_certificate      sslkey/1_jumpserver.org_bundle.crt;  # 自行设置证书
      10.     ssl_certificate_key  sslkey/2_jumpserver.org_bundle.key;  # 自行设置证书
      11.     ssl_session_timeout 1d;
      12.     ssl_session_cache shared:MozSSL:10m;
      13.     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
      14.     ssl_prefer_server_ciphers off;
      15.     ssl_protocols TLSv1.1 TLSv1.2;
      16.     ssl_prefer_server_ciphers off;
      17.     add_header Strict-Transport-Security "max-age=63072000" always;
      19.     client_max_body_size 4096m;  # 录像及文件上传大小限制
      20.     location / {
      21.         # 这里的 ip 是后端 JumpServer nginx 的 ip
      22.         proxy_pass http://192.168.244.144;
      23.         proxy_http_version 1.1;
      24.         proxy_buffering off;
      25.         proxy_request_buffering off;
      26.         proxy_set_header Upgrade $http_upgrade;
      27.         proxy_set_header Connection "upgrade";
      28.         proxy_set_header X-Real-IP $remote_addr;
      29.         proxy_set_header Host $host;
      30.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      32. }
      • 需要注意 websocket 长连接设置即可