反向代理

    • rdp 协议复制粘贴需要部署可信任的 ssl 证书
    • 通过 https 协议访问就能在 rdp 资产里面使用复制粘贴
    • 遵循 建议
    • 将证书放到 /opt/jumpserver/config/nginx/cert 里面
    1. ## Nginx 配置
    2. HTTP_PORT=80
    3. SSH_PORT=2222
    4. RDP_PORT=3389
    5. ## HTTPS 配置
    6. USE_LB=1 # 1 表示开启此选项
    7. HTTPS_PORT=443 # 对外 https 端口, 默认 443
    8. SERVER_NAME=www.domain.com # 你的 https 域名
    9. SSL_CERTIFICATE=xxx.pem # /opt/jumpserver/config/nginx/cert 目录下你的证书文件
    10. SSL_CERTIFICATE_KEY=xxx.key # /opt/jumpserver/config/nginx/cert 目录下你的 key 文件
    1. ./jmsctl.sh restart
    1. # Todo: May be can auto discovery
    2. upstream http_server {
    3. sticky name=jms_route;
    4. server web:80;
    5. # server HOST2:80; # 多节点
    6. }
    7. server {
    8. listen 80;
    9. server_name demo.jumpserver.org; # 自行修改成你自己的域名
    10. return 301 https://$server_name$request_uri;
    11. }
    12. server {
    13. listen 443 ssl http2;
    14. server_name demo.jumpserver.org; # 自行修改成你自己的域名
    15. server_tokens off;
    16. ssl_certificate cert/server.crt; # 修改 server.crt 为你的证书 (pem, crt 格式均可), 不要改路径 certs/
    17. ssl_certificate_key cert/server.key; # 修改 server.crt 为你的证书密钥文件, 不要改路径 certs/
    18. ssl_session_cache shared:MozSSL:10m;
    19. ssl_session_tickets off;
    20. ssl_protocols TLSv1.1 TLSv1.2;
    21. ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    22. ssl_prefer_server_ciphers off;
    23. add_header Strict-Transport-Security "max-age=63072000" always;
    24. client_max_body_size 5000m; # 上传文件大小限制
    25. location / {
    26. proxy_pass http://http_server;
    27. proxy_buffering off;
    28. proxy_request_buffering off;
    29. proxy_http_version 1.1;
    30. proxy_set_header Host $host;
    31. proxy_set_header Upgrade $http_upgrade;
    32. proxy_set_header Connection $http_connection;
    33. proxy_set_header X-Forwarded-For $remote_addr;
    34. proxy_ignore_client_abort on;
    35. proxy_connect_timeout 600;
    36. proxy_send_timeout 600;
    37. proxy_read_timeout 600;
    38. send_timeout 6000;
    39. }
    40. }
    1. ./jmsctl.sh restart
    • 适合上层还有统一对外出口的反向代理服务器
    • 属于多层 nginx 反向代理
    • 每一层都需要设置 websocket 长连接
    1. server {
    2. listen 80;
    3. server_name demo.jumpserver.org; # 自行修改成你的域名
    4. client_max_body_size 4096m; # 上传文件大小限制
    5. location / {
    6. # 这里的 ip 是后端 JumpServer nginx 的 ip
    7. proxy_pass http://192.168.244.144;
    8. proxy_buffering off;
    9. proxy_set_header Upgrade $http_upgrade;
    10. proxy_set_header Connection "upgrade";
    11. proxy_set_header Host $host;
    12. proxy_set_header X-Forwarded-For $remote_addr;
    13. }
    14. }
    1. server {
    2. listen 80;
    3. server_name demo.jumpserver.org; # 自行修改成你的域名
    4. return 301 https://$server_name$request_uri;
    5. }
    6. server {
    7. listen 443 ssl http2;
    8. server_name demo.jumpserver.org; # 自行修改成你的域名
    9. ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # 自行设置证书
    10. ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # 自行设置证书
    11. ssl_session_timeout 1d;
    12. ssl_session_cache shared:MozSSL:10m;
    13. ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    14. ssl_prefer_server_ciphers off;
    15. ssl_protocols TLSv1.1 TLSv1.2;
    16. add_header Strict-Transport-Security "max-age=63072000" always;
    17. client_max_body_size 4096m; # 录像及文件上传大小限制
    18. location / {
    19. # 这里的 ip 是后端 JumpServer nginx 的 ip
    20. proxy_pass http://192.168.244.144;
    21. proxy_http_version 1.1;
    22. proxy_buffering off;
    23. proxy_request_buffering off;
    24. proxy_set_header Upgrade $http_upgrade;
    25. proxy_set_header Connection "upgrade";
    26. proxy_set_header Host $host;
    27. proxy_set_header X-Forwarded-For $remote_addr;
    28. }
    29. }
    • 二级代理可以参考 ()
    • 需要注意 websocket 长连接设置即可