jumpserver-访问Web管理添加SSL支持
一、nginx有没有安装ssl模块有没有安装ssl模块(http_ssl_module),有的话说明支持ssl,如果没有,需要重新编译安装一下nginx。
/usr/sbin/nginx -V #可以查看
图片:YTVW~IZ%B60VLY{HT5}PK`0.png
二、openssl命令生成 证书
2.1 生成一个RSA密钥
mkdir -p /etc/nginx/ca/server/ #证书放在这个目录
cd /etc/nginx/ca/server/
openssl genrsa -des3 -out server.key 1024
2.2 拷贝一个不需要输入密码的密钥文件
mv server.key xxx.keyopenssl rsa -in xxx.key -out server.key
2.3 生成一个证书请求
openssl req -new -key server.key -out server.csr
2.4 自己签发证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
三、修改django_uwsgi.conf
vim /etc/nginx/django_uwsgi.conf
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
upstream jumpserver {
server 192.168.20.129:80 max_fails=3;
}
server {
listen 443;
server_name localhost;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
ssl on;
ssl_certificate /etc/nginx/ca/server/server.crt;
ssl_certificate_key/etc/nginx/ca/server/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
location / {
proxy_passhttp://Master2.jumpserver.org;
}
}
# Django project
server {
listen80;
server_name 192.168.20.129;
location / {
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
access_logoff;
}
location ^~ /static {
root /opt/jumpserver;
}
location ^~ /admin/ {
uwsgi_pass 127.0.0.1:9000;
includeuwsgi_params;
access_log off;
}
location ~* ^.+\.(mpg|avi|mp3|swf|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|txt|tar|mid|midi|wav|rtf|mpeg)$ {
root /opt/jumpserver/static;
access_log off;
}
}
四、修改jumpserver.conf
vim /opt/jumpserver/jumpserver.conf
复制代码
1
2
3
4
5
6
#coding: utf8
ip = 192.168.20.129
port = 443 #80改成443
.......
五、 修改 views.py
vim /opt/jumpserver/juser/views.py
图片:DFO1_6%9DK@R]BT%YHIR%2F.png
在http前加一个s
六、重启服务
cd /home/uwsgi
sh uwsgiserver.sh restart
/etc/init.d/nginx restart
cd /opt/jumpserver
./service.sh restart
七、访问登录
访问https://192.168.20.129/自行颁发不受浏览器信任的SSL证书
图片:CK]Z0$MF65U9CG`1(YG~2RC.png
注:web使用ssl访问的话有一个问题,日志审计,点监控没有反应。
访问http://192.168.20.129/
图片:CQA]$LA`1~Q]QF_V)A10S56.png
七、添加一个用户
收到邮件如图
图片:7PW%WH{T9T5BI3}CMMQLY{I.png
页:
[1]