Reverse Proxy

Specification of JumpServer Reverse Proxy requirements

• rdp protocol need to deploy a trusted SSL certification for copying and pasting.
• Access with the HTTPS protocol enables copying and pasting within RDP assets.
• Following Mozilla SSL Configuration Generator recommendations.

1 Nginx SSL deployment

Prepare the SSL certification (the format of certification is 'pem')

• Copy the certification to '/opt/jumpserver/config/nginx/cert'.
• Before updating the configuration file, it's necessary to shut down the JumpServer service.

# Stop JumpServer
./jmsctl.sh stop

# Edit JumpServer config file
vi /opt/jumpserver/config/config.txt

...

## Nginx configuration
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389

## HTTPS configuration
HTTPS_PORT=443               # Exposed https port, default 443
SERVER_NAME=www.domain.com   # The domain name for https
SSL_CERTIFICATE=xxx.pem      # Put *.pem certification file to '/opt/jumpserver/config/nginx/cert' 
SSL_CERTIFICATE_KEY=xxx.key  # Put *.key file to '/opt/jumpserver/config/nginx/cert'

# Start JumpServer 
./jmsctl.sh start

If you need to customize the Nginx configuration file, you can refer to this section.

vi /opt/jumpserver/config/nginx/lb_http_server.conf

# Todo: May be can auto discovery
upstream http_server {
  sticky name=jms_route;
  server web:80;
  # server HOST2:80;  # Multi-node mode
}

server {
  listen 80;
  server_name demo.jumpserver.org;  # update it with your domain name
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name demo.jumpserver.org;      # update it with your domain name
  server_tokens off;
  ssl_certificate cert/server.crt;      # Replace 'server.crt' with your certificate (pem, crt formats are both acceptable), without changing the path 'certs/'
  ssl_certificate_key cert/server.key;  # Replace 'server.crt' with your certificate key file, without changing the path 'certs/'
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.1 TLSv1.2;

  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  add_header Strict-Transport-Security "max-age=63072000" always;

  client_max_body_size 5000m;  # File siza limitation for JumpServer uploading 

  location / {
    proxy_pass http://http_server;
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_ignore_client_abort on;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 6000;
  }
}

2 Multi-layer Nginx reverse proxy

Prompt

• Suitable for upper-level and unified external exit reverse proxy servers
• Multi-layer Nginx reverse proxy
• WebSocket long connections need to be set up for each layer.

# Edit the configuration file
vi /etc/nginx/conf.d/jumpserver.conf

server {

    listen 80;
    server_name demo.jumpserver.org;  # Update it with your domain name

    client_max_body_size 4096m;  # File siza limitation for JumpServer uploading

    location / {
            # The IP here refers to the IP of the Nginx backended JumpServer
            proxy_pass http://192.168.244.144;
            proxy_http_version 1.1;
            proxy_buffering off;
            proxy_request_buffering off;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
    }
}

We recommend deploying SSL for more secure access using the HTTPS protocol

• Following Mozilla SSL Configuration Generator recommendations.

server {
    listen 80;
    server_name demo.jumpserver.org;  # update it with your domain name
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2;
    server_name          demo.jumpserver.org;  # update it with your domain name
    ssl_certificate      sslkey/1_jumpserver.org_bundle.crt;  # Replacement with your certificate
    ssl_certificate_key  sslkey/2_jumpserver.org_bundle.key;  # Replacement with your certificate
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.1 TLSv1.2;
    add_header Strict-Transport-Security "max-age=63072000" always;

    client_max_body_size 4096m;  # File siza limitation for JumpServer uploading and video file
    location / {
        # The IP here refers to the IP of the Nginx backended JumpServer
        proxy_pass http://192.168.244.144;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

• If your configure with secondary proxy You can refer to it for guidance (https://github.com/north-team/jumpserver-docs/pull/213/files)

3 Other SLB

Prompt

• Please pay attention to set the WebSocket with long connection mode
• Please pay attention to usage of session