Installing SSL Certificates and Configuring HTTPS
What is the Purpose of JumpServer Reverse Proxy?
Nginx ensures support forsupports secure WebSockets (wss://) by, managing connection handlingconnections and securing the channel with an SSL certificate. To enable the copy-paste functionality in the RDP protocol, you must deploy a trusted SSL certificate.certificate must be deployed. Copy-paste functionality in RDP assets is only availablepossible when accessed via the HTTPS protocol.
Installing SSL Certificates and Configuring HTTPS for the Web Interface
Prepare an SSL certificate (ensurenote that the certificate ismust be in PEM format). PlaceCertificates theshould certificatesbe placed in the directory /opt/jumpserver/config/nginx/cert.
Stop the JumpServer service:
./jmsctl.sh stopOpen the JumpServer configuration file:
vi /opt/jumpserver/config/config.txtFind and update the Nginx configuration parameters:
## Nginx Configuration
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
## HTTPS Configuration
HTTPS_PORT=443 # External port for HTTPS, default is 443
SERVER_NAME=www.domain.com # Your domain for HTTPS
SSL_CERTIFICATE=xxx.pem # CertificateYour filecertificate name in /opt/jumpserver/config/nginx/cert
SSL_CERTIFICATE_KEY=xxx.key # KeyYour key file name in /opt/jumpserver/config/nginx/certSave the configuration changes and start JumpServer:
./jmsctl.sh startIf you need to further edit the Nginx configuration file:
vi /opt/jumpserver/config/nginx/lb_http_server.confMulti-LayeredLevel Reverse Proxy on Nginx
Hint:
This configuration is suitable when there is a shared external proxy server at the top layer.level. It is an example of multi-level reverse proxying on Nginx. Each proxy section shouldmust be configured to support long WebSocket connections.
Editing the Configuration File:
vi /etc/nginx/conf.d/jumpserver.confExample Configuration without SSL:
server {
listen 80;
server_name demo.jumpserver.org; # Replace with your domain
client_max_body_size 4096m; # Limit for maximum file upload size
location / {
# Specify the IP address of the JumpServer Nginx server
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}Recommendation:
For more secure access, it is recommended to configure SSL and use the HTTPS protocol, following the guidelines from Mozilla SSL Configuration Generator.
Example Configuration with SSL:
Redirecting HTTP to HTTPS:
server {
listen 80;
server_name demo.jumpserver.org; # Replace with your domain
return 301 https://$server_name$request_uri; # Redirect all HTTP requests to HTTPS
}Configuring HTTPS:
server {
listen 443 ssl http2;
server_name demo.jumpserver.org; # Replace with your domain
ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # Path to your SSL certificate
ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # Path to your certificate key
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 4096m; # Limit for maximum file upload size
location / {
# Specify the IP address of the JumpServer Nginx server
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}3. Other Load Balancers (SLB)
Hint:
- Correctly configure long WebSocket connection support.
- Consider session management issues.