feizhiyun/jumpserver 反向代理:Nginx配置指南
【免费下载链接】JumpServer 广受欢迎的开源堡垒机 
项目地址: https://gitcode.com/feizhiyun/jumpserver
概述
在企业级部署中,使用Nginx作为JumpServer的反向代理是标准实践。通过Nginx反向代理,可以实现负载均衡、SSL/TLS终止、安全加固、缓存优化等功能。本文将详细介绍JumpServer的Nginx反向代理配置,涵盖HTTP、HTTPS、WebSocket等多种场景。
为什么需要反向代理?
核心优势
- 安全加固:隐藏后端服务细节,防止直接暴露服务端口
- SSL/TLS终止:集中管理证书,减轻后端服务加密负担
- 负载均衡:支持多实例部署,提高系统可用性
- 性能优化:静态文件缓存,减少后端请求压力
- 统一入口:提供统一的访问地址和端口
JumpServer服务端口分析
在配置反向代理前,需要了解JumpServer的核心服务端口:
| 服务类型 | 默认端口 | 作用描述 |
|---|---|---|
| HTTP服务 | 8080 | Web界面和API接口 |
| WebSocket服务 | 8070 | 实时终端通信 |
| 静态文件 | - | CSS、JS、图片等资源 |
基础HTTP反向代理配置
最简单的HTTP配置
server {
listen 80;
server_name jumpserver.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 静态文件处理
location /static/ {
alias /path/to/jumpserver/static/;
expires 30d;
add_header Cache-Control "public, immutable";
}
# 媒体文件处理
location /media/ {
alias /path/to/jumpserver/media/;
expires 30d;
add_header Cache-Control "public";
}
}
配置参数详解
HTTPS安全配置
SSL证书配置
server {
listen 443 ssl http2;
server_name jumpserver.example.com;
# SSL证书配置
ssl_certificate /etc/ssl/certs/jumpserver.crt;
ssl_certificate_key /etc/ssl/private/jumpserver.key;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS头
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
HTTP重定向到HTTPS
server {
listen 80;
server_name jumpserver.example.com;
return 301 https://$server_name$request_uri;
}
WebSocket代理配置
JumpServer的终端功能依赖WebSocket通信,必须正确配置:
server {
listen 443 ssl;
server_name jumpserver.example.com;
# ... SSL配置同上
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket超时设置
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# 特定WebSocket路径代理
location /ws/ {
proxy_pass http://127.0.0.1:8070;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
}
高级配置选项
负载均衡配置
upstream jumpserver_backend {
server 192.168.1.10:8080 weight=3;
server 192.168.1.11:8080 weight=2;
server 192.168.1.12:8080 weight=1;
# 会话保持
ip_hash;
}
upstream jumpserver_ws {
server 192.168.1.10:8070;
server 192.168.1.11:8070;
server 192.168.1.12:8070;
# WebSocket需要ip_hash保持连接
ip_hash;
}
server {
listen 443 ssl;
server_name jumpserver.example.com;
location / {
proxy_pass http://jumpserver_backend;
# ... 其他配置
}
location /ws/ {
proxy_pass http://jumpserver_ws;
# ... WebSocket配置
}
}
安全加固配置
server {
# ... 基本配置
# 安全头设置
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# 限制请求大小
client_max_body_size 100M;
# 隐藏服务器版本信息
server_tokens off;
# 限制请求方法
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$) {
return 405;
}
}
性能优化配置
缓存策略
# 静态资源缓存
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Access-Control-Allow-Origin "*";
}
# API响应缓存
location ~ ^/api/ {
proxy_cache jumpserver_cache;
proxy_cache_valid 200 302 5m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
add_header X-Cache-Status $upstream_cache_status;
}
Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml
application/json
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
image/svg+xml;
完整配置示例
生产环境完整配置
# 定义缓存路径
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=jumpserver_cache:10m max_size=1g inactive=60m;
# HTTP重定向
server {
listen 80;
server_name jumpserver.example.com;
return 301 https://$server_name$request_uri;
}
# HTTPS主配置
server {
listen 443 ssl http2;
server_name jumpserver.example.com;
# SSL证书
ssl_certificate /etc/ssl/certs/jumpserver.crt;
ssl_certificate_key /etc/ssl/private/jumpserver.key;
# SSL配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# 静态文件
location /static/ {
alias /opt/jumpserver/static/;
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
location /media/ {
alias /opt/jumpserver/media/;
expires 30d;
add_header Cache-Control "public";
access_log off;
}
# WebSocket代理
location /ws/ {
proxy_pass http://127.0.0.1:8070;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# 主应用代理
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 缓存配置
proxy_cache jumpserver_cache;
proxy_cache_valid 200 302 5m;
proxy_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# 健康检查
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
常见问题排查
WebSocket连接失败
# 检查Nginx错误日志
tail -f /var/log/nginx/error.log
# 测试WebSocket连接
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" \
-H "Host: jumpserver.example.com" -H "Origin: http://jumpserver.example.com" \
https://jumpserver.example.com/ws/
SSL证书问题
# 检查SSL证书配置
openssl s_client -connect jumpserver.example.com:443 -servername jumpserver.example.com
# 验证证书链
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/jumpserver.crt
性能监控
# 在Nginx配置中添加状态监控
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
总结
通过合理的Nginx反向代理配置,可以显著提升JumpServer的安全性、性能和可用性。关键配置要点包括:
- 正确的WebSocket代理配置:确保终端功能正常工作
- SSL/TLS优化:提供安全的HTTPS连接
- 静态资源缓存:减轻后端服务压力
- 安全头设置:增强应用安全性
- 负载均衡:支持高可用部署
遵循本文的配置指南,您可以构建一个安全、高性能的JumpServer生产环境。记得在修改配置后使用 nginx -t 测试配置语法,然后使用 systemctl reload nginx 重新加载配置。
【免费下载链接】JumpServer 广受欢迎的开源堡垒机 项目地址: https://gitcode.com/feizhiyun/jumpserver
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
