Supermicro IPMI/BMC nginx proxy

需要安装一个openresty或者nginx, 版本大于1.15.10

编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.


首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.

#/bin/bash
i=1000  #vnc start port
b=2000
# hextoip() { hex=$1;  printf "%d." 0x${hex:0:2};  printf "%d." 0x${hex:2:2};  printf "%d." 0x${hex:4:2};  printf "%d" 0x${hex:6:2};  }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk   '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo "	   ~*($IP|$i|$b|$HEXIP)$ 	IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo "     ~*($b|$i)$  $IP;" >> $stream_route_map

done

nginx -s reload


nginx配置文件部分, 建议用include引用.

stream字段下内容stream.conf

stream {
map $server_port $ipmihost {  include stream.route.map.conf; }
    server {
        listen 0.0.0.0:1000-1200 reuseport;
        proxy_connect_timeout 5s;
        proxy_timeout 20s;
        proxy_pass $ipmihost:5900;
    }

    server {
        listen 2000-2200 udp reuseport;
        listen 2000-2200 reuseport;
        proxy_connect_timeout 5s;
        proxy_timeout 20s;
        proxy_pass $ipmihost:623;
    }
 }


http字段下的ipmi_proxy.conf

map $http_user_agent $limit_bots {
     default 0;
     ~*(google|bing|yandex|msnbot) 1;
     ~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
     ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
     ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
     ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
     ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
     ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
 }
map $HOSTKEY $VALUE {include http.route.map.conf;}
server {
    listen 80;
    listen 443 ssl;
    server_name  ~^(.*?)\.(.*?).XXX.XXX$ ;

     ssl_certificate ssl/server.crt;
     ssl_certificate_key ssl/server.key;
     include ssl.conf;

 access_log /var/log/nginx.bmc.log;
 if ($limit_bots = 1) {  return 403;  }
 if ( $IPMIhost  = 0) {  echo 'not found!';  }
 if ( $http_host ~* "(.*?)\.bmc.(.*?)$" ) { set $HOSTKEY $1; }
 if ( $VALUE ~* "IP<(.*?)>\|VNC<(.*?)>\|BMC<(.*?)>\|HEX<(.*?)>$" ) {
    set $IPMIhost $1;
    set $ipmivnc $2;
    set $ipmiws $3;
    set $hexip   $4;
    set $target_IP $1;
}
 
 
    location / {
        add_header X-Frame-Options SAMEORIGIN;
	proxy_set_header Accept-Encoding "";
	proxy_redirect 	$scheme://$IPMIhost/ /;
        proxy_store off;
    	proxy_read_timeout 300s;
	proxy_pass $scheme://$IPMIhost;
	proxy_set_header Host $host;
        proxy_buffering off;proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";


sub_filter '5900</' '$ipmivnc</';	# VNC port
sub_filter '623</'  '$ipmiws</';        #SuperMicro
sub_filter '7578</' '$ipmivnc</';       #AMI VNC port
sub_filter '5120</'  '$ipmiws</';	#AMI iso port

sub_filter '$IPMIhost</'  '$host</';
sub_filter '//$IPMIhost:'  '//$host:';	#filter jnlp  codebase
sub_filter_once off;
sub_filter_types  application/x-java-jnlp-file;
}
}


目前只测试了SuperMicro X9 X10系列, noVNC和JAVA IPMI等基础功能都可以正常使用.


准备工作: 

ip.list文件和list.sh文件放一个目录,也可以自己重新修改设定.

需要一个泛解析域名  *.bmc.XXX.XXX , nginx配置里面把XXX.XXX改成自己的域名.


当前只对vnc和RMCP端口做了处理, 其他的特殊端口没有做.

============================================

idrac系列需要向后端发送gzip压缩才能用,否则会返回404, 但即使开了gzip能打开页面也会一些请求超时出现504

用stream直接4层转发,idrac可以正常使用,但基本要占用一个独立IP, 后续有空再继续研究.

proxy_set_header Accept-Encoding "gzip";


Supermicro IPMI/BMC nginx proxy

1 条用户评论。
  1. 评论 发表时间:Wednesday 10th/02/2021 05:10:13 PM 1楼

    Hi!
    Could you check in on X11 platform? I am trying to use it on X11 and it doesn't work =(

添加新评论 »