工作原理示意图
1. 编写 default.conf 文件
$request_uri 会把客户端请求的路径和查询字符串一起拼接到新的 URL 上,从而实现完整的重定向。
例如:客户端访问:https://jump.ceshi.com/login?user=admin;
重定向后会把后面的 login?user=admin 加上,作为完整地重定向到目标 URL,而不仅仅是只有域名部分。
tee /root/nginx/jumpserver_ng/conf.d/default.conf <<-'EOF'
server {
listen 58080 ssl;
server_name jump.snimay.com; # 域名IP:192.168.41.34 ( nginx 服务器的 IP )
# SSL 配置
ssl_certificate /etc/nginx/conf.d/snimay.com.crt;
ssl_certificate_key /etc/nginx/conf.d/snimay.com.key;
location / {
# return 301 https://jumpserver.snimay.com:443$request_uri; # 新的域名解析到:192.168.45.170(真实服务器的 IP 地址),返回 301 代码给客户端,由客户端用该域名发起新的请求。
return 301 https://jumps.snimay.com:443$request_uri; # 上面主机名比较长
}
}
EOF
2. 准备好证书文件
[root@localhost ~]# ll /root/nginx/jumpserver_ng/conf.d/
-rw-r--r--. 1 root root 500 Feb 7 20:43 default.conf
-rw-r--r--. 1 root root 3813 Feb 7 13:52 snimay.com.crt
-rw-r--r--. 1 root root 1679 Feb 7 13:52 snimay.com.key
3. 容器运行 Nginx
# 启动容器,nginx:1.27.4 镜像可提前 pull 下来
docker run -itd -p 58080:58080 --restart=always -v /root/nginx/jumpserver_ng/conf.d/:/etc/nginx/conf.d/ --name jumpserver_nginx nginx:1.27.4
# 即使没有使用 80 端口,Docker 检测到容器内的 80 端口是开放的,因此仍然会显示 80/tcp。
[root@localhost conf.d]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0327bd535af7 nginx:1.27.4 "/docker-entrypoint.…" 53 seconds ago Up 52 seconds 80/tcp, 0.0.0.0:58080->58080/tcp, :::58080->58080/tcp jumpserver_nginx
# 查看已经把本机的文件映射到容器中
[root@localhost conf.d]# docker exec -it jumpserver_nginx ls /etc/nginx/conf.d/
default.conf snimay.com.crt snimay.com.key
# 查看容器日志
[root@localhost conf.d]# docker logs jumpserver_nginx
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2025/02/07 12:43:17 [notice] 1#1: using the "epoll" event method
2025/02/07 12:43:17 [notice] 1#1: nginx/1.27.4
2025/02/07 12:43:17 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14)
2025/02/07 12:43:17 [notice] 1#1: OS: Linux 5.14.0-503.21.1.el9_5.x86_64
2025/02/07 12:43:17 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1073741816:1073741816
2025/02/07 12:43:17 [notice] 1#1: start worker processes
2025/02/07 12:43:17 [notice] 1#1: start worker process 28
2025/02/07 12:43:17 [notice] 1#1: start worker process 29
# 删除容器
[root@localhost nginx]# docker rm -f jumpserver_nginx
4. 浏览器抓包捕抓到 301 重定向
谷歌浏览器抓包:
Firefox浏览器抓包:
5. 修改 jumpserver 配置文件
v3.6 以上版本为了安全,要求强制填写 DOMAINS 可信任域名才能正常访问服务,否则会提示错误码 400/403 导致无法无法访问页面。
# 修改 config.txt 文件,将新域名添加到 DOMAINS 中,否则堡垒机的用户将无法登陆
[root@jumpserver ~]# vim /opt/jumpserver/config/config.txt
DOMAINS="jumpserver.snimay.com:443,jump.snimay.com:58080,192.168.45.170"
# 重启 jumpserver
[root@jumpserver ~]# jmsctl restart