Nginx 反向代理 - websocket 配置使 Fortigate CLI 界面正常工作

发布于 2025-01-11 04:12:56 字数 1659 浏览 0 评论 0原文

我试图让我的 Fortigate 路由器的 Web 界面位于反向代理后面，不能从互联网访问，而是在我的内部网络上使用我的 LetsEncrypt 证书。这是我正在使用的配置：

upstream websockets {
    server 192.168.1.99:443;
}

server {
    listen 443 ssl;
    allow 192.168.1.0/24;
    deny all;
    server_name f60e.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
        proxy_redirect off;
        
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Origin "";
        proxy_pass_header X-XSRF-TOKEN;
        proxy_pass https://192.168.1.99;
        proxy_send_timeout      300;
        proxy_read_timeout      300;
        send_timeout            300;
        client_max_body_size    1000m;
  
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        } 

     location /websockets/ {
        proxy_pass https://websockets;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header Origin "";
        }
   
}

除了“在 CLI 中编辑”按钮之外，一切似乎都正常。当我尝试使用它时，界面窗口显示为空白，几秒钟后显示“连接丢失”，我在浏览器控制台中收到此错误

GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1 
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed: 
createWebSocket @ main.js:1

原文

I am trying to get my fortigate router's web interface behind my reverse proxy, not to be accessible from the internet, but to use my LetsEncrypt cert on my internal network. This is the config I'm using:

upstream websockets {
    server 192.168.1.99:443;
}

server {
    listen 443 ssl;
    allow 192.168.1.0/24;
    deny all;
    server_name f60e.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Authorization "";
        proxy_redirect off;
        
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Origin "";
        proxy_pass_header X-XSRF-TOKEN;
        proxy_pass https://192.168.1.99;
        proxy_send_timeout      300;
        proxy_read_timeout      300;
        send_timeout            300;
        client_max_body_size    1000m;
  
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        } 

     location /websockets/ {
        proxy_pass https://websockets;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header Origin "";
        }
   
}

Everything appears to work except for the "Edit in CLI" button. When I attempt to use it, the interface window comes up blank and after a few seconds it says "Connection lost" and I get this error in my browser console

GET https://f60e.walnuthomelab.com/favicon/site.webmanifest net::ERR_CONNECTION_TIMED_OUT
main.js:1 
WebSocket connection to 'wss://f60e.walnuthomelab.com/ws/cli/open?cols=66&rows=34' failed: 
createWebSocket @ main.js:1

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

浪推晚风 2025-01-18 04:12:56

我无需为反向代理配置指定 websockets 块即可实现此工作。我还禁用了缓冲，因为控制台在启用时似乎有点滞后，但这可能在我的脑海中。

此 SSL/TLS 配置将严重限制您与旧客户端连接的能力，限制您与 {{ ADMIN_IP }} 的连接，并且如果您破坏证书配置，则会将您锁定在主机名之外，或者希望将来删除 TLS。因此，请确保您使用的是现代浏览器，并且您的 LetsEncrypt 设置正常工作。

我已经使用默认的 FortiGate 自签名证书（来自私有可信 CA 的证书）和通过 FortiGate 内置 ACME 引擎的 LetsEncrypt 证书对此进行了测试。这是在三个监听 keepalived vIP 的 Nginx 服务器上运行的。

server {
    listen 443 ssl;
    server_name {{ HOSTNAME }};

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_certificate      /etc/letsencrypt/live/{{ HOSTNAME }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ HOSTNAME }}/privkey.pem;

    resolver         {{ PrimaryDNSServer }} {{ SecondaryDNSServer }} valid=300s;
    resolver_timeout 5s;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_session_tickets  off;

    ssl_prefer_server_ciphers   on;
    ssl_protocols               TLSv1.3;
    ssl_ciphers                 EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve              secp384r1;
    ssl_stapling                on;
    ssl_stapling_verify         on;

    add_header  X-Frame-Options         DENY;
    add_header  X-Content-Type-Options  nosniff;
    add_header  X-XSS-Protection        "1; mode=block";

    access_log  /var/log/nginx/{{ HOSTNAME }}.log;

    location / {
        allow {{ ADMIN_IP }}; 
        deny all;

        proxy_pass          https://{{ FG_IPAddress }};
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    Host              $host;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;

        proxy_http_version  1.1;
        proxy_redirect      http:// https://;
        proxy_buffering     off;
        proxy_set_header    Upgrade     $http_upgrade;
        proxy_set_header    Connection  "upgrade";
    }
}

I was able to get this working without specifying a websockets block for the reverse proxy config. I've also got buffering disabled because the console seemed to be a bit laggy while it was enabled, but this could be in my head.

The SSL/TLS configuration on this will severely limit your ability to connect with older clients, limit your connection to {{ ADMIN_IP }} and will lock you out of the hostname if you break your certificate configuration, or want to remove TLS in the future. So make sure you're using modern browsers, and your LetsEncrypt setup is working properly.

I've tested this both with the default FortiGate self-signed certificate, one from a private trusted CA, and with a LetsEncrypt cert through the FortiGate's built-in ACME engine. This is working across three Nginx servers listening on a keepalived vIP.

server {
    listen 443 ssl;
    server_name {{ HOSTNAME }};

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_certificate      /etc/letsencrypt/live/{{ HOSTNAME }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ HOSTNAME }}/privkey.pem;

    resolver         {{ PrimaryDNSServer }} {{ SecondaryDNSServer }} valid=300s;
    resolver_timeout 5s;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_session_tickets  off;

    ssl_prefer_server_ciphers   on;
    ssl_protocols               TLSv1.3;
    ssl_ciphers                 EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve              secp384r1;
    ssl_stapling                on;
    ssl_stapling_verify         on;

    add_header  X-Frame-Options         DENY;
    add_header  X-Content-Type-Options  nosniff;
    add_header  X-XSS-Protection        "1; mode=block";

    access_log  /var/log/nginx/{{ HOSTNAME }}.log;

    location / {
        allow {{ ADMIN_IP }}; 
        deny all;

        proxy_pass          https://{{ FG_IPAddress }};
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    Host              $host;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;

        proxy_http_version  1.1;
        proxy_redirect      http:// https://;
        proxy_buffering     off;
        proxy_set_header    Upgrade     $http_upgrade;
        proxy_set_header    Connection  "upgrade";
    }
}

回复收藏 0 原文

~没有更多了~