jumpserver-nginx安全配置文件
本文主要讲解访问jump网站在浏览器上先输入nginx账号密码,然后才能访问到jumpser login页面。
配置https
访问http自动跳转到https页面
隐藏版本号
访问公网ip访问500错误。
(jumpserver不建议在公网上跑,但是业务需求没办法。因为我们公司每天都会全国的第三方人员需要访问。但是我们走了知道创宇防护,设置了非大陆用户无法访问,又加nginx密码+jumpserver密码+双因子认证)
=================================================================
[root@jumpserver vhosts]# vim jumpserver.conf
server {
listen 80;
server_name liangzeyu.com;
return 302 https://$server_name$request_uri;
#return 500; # 添加这句,当用IP访问时,返回500错误码
#return 301 https://www.domain.com; //把IP和其他域名访问的流量永久重定向到我们的域名
}
server {
listen 443 ssl;
server_name jumpserver.cdstm.cn;
ssl_certificate /usr/local/nginx/conf/liangzeyu.crt;
ssl_certificate_key /usr/local/nginx/conf/liangzeyu.cdstm.cn.key;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
client_max_body_size 100m;
auth_basic "Please input password";
auth_basic_user_file /usr/local/nginx/passwd;
location /ui/ {
try_files $uri / /index.html;
alias /opt/lina/;
}
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /koko/ {
proxy_pass http://localhost:5000;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://localhost:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /ws/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8070;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /core/ {
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
rewrite ^/(.*)$ /ui/$1 last;
}
}
主要演示了下隐藏版本号,ip无法访问。
[root@jumpserver conf]# cat nginx.conf
server {
server_name _;
location / {
return 500; # 添加这句,当用IP访问时,返回500错误码
#return 301 https://www.domain.com; //把IP和其他域名访问的流量永久重定向到我们的域名
}
}
include /usr/local/nginx/conf/vhosts/jumpserver.conf;
server_tokens off;
}
有问题请加博主微信进行沟通!
全部评论