反向代理

    • rdp 协议复制粘贴需要部署可信任的 ssl 证书
    • 通过 https 协议访问就能在 rdp 资产里面使用复制粘贴
    • 遵循 Mozilla SSL Configuration Generator 建议
    • 将证书放到 /opt/jumpserver/config/nginx/cert 里面
    3. ## Nginx 配置, USE_LB=1 表示开启, 为 0 的情况下, HTTPS_PORT 定义不生效
    4. HTTP_PORT=80
    5. SSH_PORT=2222
    6. RDP_PORT=3389
    8. USE_LB=1           # 1 表示开启此选项
    9. HTTPS_PORT=443     # 对外 https 端口
    1. # Todo: May be can auto discovery
    2. upstream http_server {
    3.   sticky name=jms_route;
    4.   server web:80;
    5.   # server HOST2:80;  # 多节点
    6. }
    8. server {
    9.   listen 80;
    10.   server_name demo.jumpserver.org;  # 自行修改成你自己的域名
    11.   return 301 https://$server_name$request_uri;
    12. }
    14. server {
    15.   listen 443 ssl;
    16.   server_name demo.jumpserver.org;      # 自行修改成你自己的域名
    17.   server_tokens off;
    18.   ssl_certificate_key cert/server.key;  # 修改 server.crt 为你的证书密钥文件, 不要改路径 certs/
    19.   ssl_session_timeout 1d;
    21.   ssl_session_tickets off;
    22.   ssl_protocols TLSv1.1 TLSv1.2;
    24.   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    25.   ssl_prefer_server_ciphers off;
    26.   add_header Strict-Transport-Security "max-age=63072000" always;
    28.   client_max_body_size 5000m;  # 上传文件大小限制
    30.   location / {
    31.     proxy_pass http://http_server;
    32.     proxy_buffering off;
    33.     proxy_request_buffering off;
    34.     proxy_http_version 1.1;
    35.     proxy_set_header Host $host;
    36.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    37.     proxy_set_header Upgrade $http_upgrade;
    38.     proxy_set_header Connection $http_connection;
    40.     proxy_ignore_client_abort on;
    41.     proxy_connect_timeout 600;
    42.     proxy_send_timeout 600;
    43.     proxy_read_timeout 600;
    44.     send_timeout 6000;
    45.   }
    46. }
    • 适合上层还有统一对外出口的反向代理服务器
    • 属于多层 nginx 反向代理
    • 每一层都需要设置 websocket 长连接
    1. vi /etc/nginx/conf.d/jumpserver.conf
    1. server {
    3.     server_name demo.jumpserver.org;  # 自行修改成你的域名
    4.     return 301 https://$server_name$request_uri;
    5. }
    6. server {
    7.     listen 443 ssl;
    8.     server_name          demo.jumpserver.org;  # 自行修改成你的域名
    9.     ssl_certificate      sslkey/1_jumpserver.org_bundle.crt;  # 自行设置证书
    10.     ssl_certificate_key  sslkey/2_jumpserver.org_bundle.key;  # 自行设置证书
    11.     ssl_session_timeout 1d;
    12.     ssl_session_cache shared:MozSSL:10m;
    13.     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    14.     ssl_prefer_server_ciphers off;
    15.     ssl_protocols TLSv1.1 TLSv1.2;
    16.     add_header Strict-Transport-Security "max-age=63072000" always;
    18.     client_max_body_size 4096m;  # 录像及文件上传大小限制
    19.     location / {
    20.         # 这里的 ip 是后端 JumpServer nginx 的 ip
    21.         proxy_pass http://192.168.244.144;
    22.         proxy_http_version 1.1;
    23.         proxy_buffering off;
    24.         proxy_request_buffering off;
    25.         proxy_set_header Upgrade $http_upgrade;
    26.         proxy_set_header Connection "upgrade";
    27.         proxy_set_header X-Real-IP $remote_addr;
    28.         proxy_set_header Host $host;
    29.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    30.     }
    • 需要注意 websocket 长连接设置即可
    • 需要注意 session 问题