Перейти к основному контенту

Installing SSL Certificates and Configuring HTTPS

What is the Purpose of JumpServer Reverse Proxy?

Nginx ensures support for secure WebSockets (wss://) by managing connection handling and securing the channel with an SSL certificate. To enable copy-paste functionality in the RDP protocol, you must deploy a trusted SSL certificate. Copy-paste functionality in RDP assets is only available when accessed via the HTTPS protocol.

Installing SSL Certificates and Configuring HTTPS for the Web Interface

Prepare an SSL certificate (ensure the certificate is in PEM format). Place the certificates in the directory /opt/jumpserver/config/nginx/cert.

Stop the JumpServer service:

./jmsctl.sh stop

Open the JumpServer configuration file:

vi /opt/jumpserver/config/config.txt

Find and update the Nginx configuration parameters:

## Nginx Configuration
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389

## HTTPS Configuration
HTTPS_PORT=443               # External port for HTTPS, default is 443
SERVER_NAME=www.domain.com   # Your domain for HTTPS
SSL_CERTIFICATE=xxx.pem      # Certificate file name in /opt/jumpserver/config/nginx/cert
SSL_CERTIFICATE_KEY=xxx.key  # Key file name in /opt/jumpserver/config/nginx/cert

Save the configuration changes and start JumpServer:

./jmsctl.sh start

If you need to further edit the Nginx configuration file:

vi /opt/jumpserver/config/nginx/lb_http_server.conf
Multi-Layered Reverse Proxy on Nginx

Hint: This configuration is suitable when there is a shared external proxy server at the top layer. Each proxy section should be configured to support long WebSocket connections.

Example Configuration with SSL:
server {
    listen 443 ssl http2;
    server_name demo.jumpserver.org;  # Replace with your domain
    ssl_certificate sslkey/1_jumpserver.org_bundle.crt;  # Path to your SSL certificate
    ssl_certificate_key sslkey/2_jumpserver.org_bundle.key;  # Path to your certificate key
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;

    location / {
        proxy_pass http://192.168.244.144;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
Наверх