Nginx Websocket Proxy

假想控 edited this page Dec 15, 2016 · 30 revisions

Nginx wss Configur

跳板机是所有服务器的入口,所以,它的安全至关重要。因此,建议把Jumpserver搭建在内网环境中,并且加上SSL证书,保证数据传输的安全。

配置适用于版本:v0.3.1-2
  • 示例如下

#user    nginx;
worker_processes        1;
 
error_log       /var/log/nginx/error.log;
pid     /var/run/nginx.pid;

events {
      worker_connections  1024;
 } 


http {
     include       mime.types;
     default_type  application/octet-stream;


log_format jumpserver '$host $remote_addr - $remote_user [$time_local] "$request" 
             $status $upstream_status $body_bytes_sent "$http_referer" 
            "$http_user_agent" "$http_x_forwarded_for" $ssl_protocol 
            $ssl_cipher $upstream_addr $request_time $upstream_response_time';
server {
  listen 443;
  server_name YOUR_DOMAIN;
  server_name_in_redirect off;

  access_log /var/log/nginx/jumpserver_access.log jumpserver;
  error_log /var/log/nginx/jumpserver_error.log;


  proxy_connect_timeout 300;
  proxy_read_timeout 300;
  proxy_send_timeout 300;
  proxy_buffer_size 64k;
  proxy_buffers 4 32k;
  proxy_busy_buffers_size 64k;
  proxy_temp_file_write_size 64k;


  ssl on;
  ssl_certificate YOUR_DOMAIN_CRT;
  ssl_certificate_key YOUR_DOMAIN_KEY;
  ssl_client_certificate YOUR_DOMAIN_CRT;
  ssl_session_timeout 5m;
  #ssl_verify_client on;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers   on;


    location = /favicon.ico {
        log_not_found off;
    }
    location ^~ /ws/ {
        proxy_pass http://localhost:8000/ws/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # WebSocket support (nginx 1.4)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
     }
    location / {
        root html;
        index index.html index.htm;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $https;
        proxy_pass http://127.0.0.1:8000;
      }
}
server {
  listen 80;
  server_name YOUR_DOMAIN;
  charset utf-8;
  rewrite ^/(.*) https://JUMPSERVER_IP/$1 permanent;
}
}
  • 此配置会强制使用https
  • 请替换如下表格的关键字
关键字 示例 说明
YOUR_DOMAIN example.com Jumpserver 的域名
YOUR_DOMAIN_CRT /etc/nginx/certs/example.crt SSL证书的CRT文件
YOUR_DOMAIN_KEY /etc/nginx/certs/example.key SSL证书的KEY文件
JUMPSERVER_IP 192.168.20.137 Jumpserver 服务器IP
  • 需要修改 jumpserver.conf 配置文件中的[base]部分

[base]
url = https://JUMPSERVER_IP
key = uxca4nkzetk08ww0
ip = JUMPSERVER_LOCALHOST
port = 8000
log = debug

[db]
host = 127.0.0.1
port = 3306
user = jumpserver
...
...
  • 请替换如下表格的关键字
关键字 示例 说明
JUMPSERVER_IP 192.168.20.137 Jumpserver 服务器IP
JUMPSERVER_LOCALHOST 127.0.0.1 Jumpserver 服务器本地IP
debug warning 已线上使用日志级别应该改为warning