Reverse Proxy⚓︎
Specification of JumpServer Reverse Proxy requirements
- rdp protocol need to deploy a trusted SSL certification for copying and pasting.
- Access with the HTTPS protocol enables copying and pasting within RDP assets.
- Following Mozilla SSL Configuration Generator recommendations.
1 Nginx SSL deployment⚓︎
Prepare the SSL certification (the format of certification is 'pem')
- Copy the certification to '/opt/jumpserver/config/nginx/cert'.
- Before updating the configuration file, it's necessary to shut down the JumpServer service.
# Stop JumpServer
./jmsctl.sh stop
# Edit JumpServer config file
vi /opt/jumpserver/config/config.txt
...
## Nginx configuration
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
## HTTPS configuration
HTTPS_PORT=443 # Exposed https port, default 443
SERVER_NAME=www.domain.com # The domain name for https
SSL_CERTIFICATE=xxx.pem # Put *.pem certification file to '/opt/jumpserver/config/nginx/cert'
SSL_CERTIFICATE_KEY=xxx.key # Put *.key file to '/opt/jumpserver/config/nginx/cert'
# Start JumpServer
./jmsctl.sh start
If you need to customize the Nginx configuration file, you can refer to this section.
vi /opt/jumpserver/config/nginx/lb_http_server.conf
# Todo: May be can auto discovery
upstream http_server {
sticky name=jms_route;
server web:80;
# server HOST2:80; # Multi-node mode
}
server {
listen 80;
server_name demo.jumpserver.org; # update it with your domain name
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name demo.jumpserver.org; # update it with your domain name
server_tokens off;
ssl_certificate cert/server.crt; # Replace 'server.crt' with your certificate (pem, crt formats are both acceptable), without changing the path 'certs/'
ssl_certificate_key cert/server.key; # Replace 'server.crt' with your certificate key file, without changing the path 'certs/'
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 5000m; # File siza limitation for JumpServer uploading
location / {
proxy_pass http://http_server;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ignore_client_abort on;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 6000;
}
}
2 Multi-layer Nginx reverse proxy⚓︎
Prompt
- Suitable for upper-level and unified external exit reverse proxy servers
- Multi-layer Nginx reverse proxy
- WebSocket long connections need to be set up for each layer.
# Edit the configuration file
vi /etc/nginx/conf.d/jumpserver.conf
server {
listen 80;
server_name demo.jumpserver.org; # Update it with your domain name
client_max_body_size 4096m; # File siza limitation for JumpServer uploading
location / {
# The IP here refers to the IP of the Nginx backended JumpServer
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
We recommend deploying SSL for more secure access using the HTTPS protocol
- Following Mozilla SSL Configuration Generator recommendations.
server {
listen 80;
server_name demo.jumpserver.org; # update it with your domain name
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name demo.jumpserver.org; # update it with your domain name
ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # Replacement with your certificate
ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # Replacement with your certificate
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 4096m; # File siza limitation for JumpServer uploading and video file
location / {
# The IP here refers to the IP of the Nginx backended JumpServer
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
- If your configure with secondary proxy You can refer to it for guidance (https://github.com/north-team/jumpserver-docs/pull/213/files)
3 Other SLB⚓︎
Prompt
- Please pay attention to set the WebSocket with long connection mode
- Please pay attention to usage of session