What is the Purpose of JumpServer Reverse
Proxy?
Nginx supports secure WebSockets (wss://), managing connections and
securing the channel with an SSL certificate. To enable the
copy-paste functionality in the RDP protocol, a trusted SSL
certificate must be deployed. Copy-paste in RDP assets is only
possible when accessed via the HTTPS protocol.
Installing SSL Certificates and Configuring HTTPS for the
Web Interface
Prepare an SSL certificate (note that the
certificate must be in PEM format). Certificates
should be placed in the directory
/opt/jumpserver/config/nginx/cert
Stop the JumpServer service:
./jmsctl.sh stop
Open the JumpServer configuration file:
vi /opt/jumpserver/config/config.txt
Find and update the Nginx configuration parameters:
## Nginx Configuration
HTTP_PORT=80
SSH_PORT=2222
RDP_PORT=3389
## HTTPS Configuration
HTTPS_PORT=443 # External port for HTTPS, default is 443
SERVER_NAME=www.domain.com # Your domain for HTTPS
SSL_CERTIFICATE=xxx.pem # Your certificate name in /opt/jumpserver/config/nginx/cert
SSL_CERTIFICATE_KEY=xxx.key # Your key file name in /opt/jumpserver/config/nginx/cert
Save the configuration changes and start JumpServer:
./jmsctl.sh start
If you need to further edit the Nginx
configuration file:
vi /opt/jumpserver/config/nginx/lb_http_server.conf
Multi-Level Reverse Proxy on Nginx
Hint:
This configuration is suitable when there is a shared external
proxy server at the top level. It is an example of multi-level
reverse proxying on Nginx. Each proxy section must be configured to
support long WebSocket connections.
Editing the Configuration
File:
vi /etc/nginx/conf.d/jumpserver.conf
Example Configuration without SSL:
server {
listen 80;
server_name demo.jumpserver.org; # Replace with your domain
client_max_body_size 4096m; # Limit for maximum file upload size
location / {
# Specify the IP address of the JumpServer Nginx server
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Recommendation:
For more secure access, it is recommended to configure SSL and use
the HTTPS protocol, following the guidelines from Mozilla SSL Configuration
Generator.
Example Configuration with SSL:
Redirecting HTTP to HTTPS:
server {
listen 80;
server_name demo.jumpserver.org; # Replace with your domain
return 301 https://$server_name$request_uri; # Redirect all HTTP requests to HTTPS
}
Configuring HTTPS:
server {
listen 443 ssl http2;
server_name demo.jumpserver.org; # Replace with your domain
ssl_certificate sslkey/1_jumpserver.org_bundle.crt; # Path to your SSL certificate
ssl_certificate_key sslkey/2_jumpserver.org_bundle.key; # Path to your certificate key
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 4096m; # Limit for maximum file upload size
location / {
# Specify the IP address of the JumpServer Nginx server
proxy_pass http://192.168.244.144;
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
3. Other Load Balancers (SLB)
Hint:
- Correctly configure long WebSocket connection support.
- Consider session management issues.
Need help?
Support during the JumpServer PAM Enterprise Edition PoC
Have you started testing JumpServer PAM EE and encountered an
issue? Our process includes organizing email threads or Telegram
groups for prompt issue resolution. If you are sure you were not
added to such a group, please contact your supplier or reach out to
us at support@afi-d.com
Training for your specialists on configuring and administering
JumpServer PAM
As part of an active technical support subscription, we will
train your specialists in installation, configuration,
administration of JumpServer PAM, as well as recovery from errors
and incidents.
Training is conducted online, according to a pre-agreed plan,
and includes mandatory practical knowledge verification with the
issuance of personalized certificates (upon successful exam
completion).
Video tutorials
Visit our channel on YouTube with video tutorials covering the
configuration of all JumpServer PAM sections. The videos are
updated with each new release.
Technical support for the free JumpServer PAM Community
Edition
The idea of implementing a complex but business-critical PAM
system can be intimidating due to the perceived complexity of
setup, administrator and security team training, and changes to
account management processes.
To make the deployment and configuration of JumpServer Community
Edition comfortable, and to ensure you can always rely on
professional assistance, AFI Distribution offers an annual
technical support subscription.
The support package priced at 1.5 million RUB per JumpServer
Community Edition instance (with no limits on the number of users
or target systems) includes everything required to use PAM:
- documentation and instructions;
- usage scenarios and recommended deployment architectures;
- training for administrators and information security
specialists on working with JumpServer;
- tips and solutions for common questions;
- notifications about new releases with verified upgrade
instructions;
- integration with RADIUS and multi-factor authentication
“Multifactor” ;
- direct access to an engineer (no first-line support) with a
clear SLA.
Learn more and make a purchase on the
Technical support subscription page
