国密Nginx容器实战

  • Post author:
  • Post category:其他




国密Nginx容器实战



1.背景

​ 目前国密SSL(TLCP)已经逐步开始推广并实际使用,国密SSL实验室(www.gmssl.cn)提供了国密版OpenSSL,并且可以与Nginx集成,可以比较方便的搭建国密SSL反向代理或者国密SSL服务器。

​ 国密SSL实验室并没有提供Docker的样例,考虑到Docker的广泛性,本文描述了在Docker里面部署国密SSL的Nginx的的完整构建过程,仅供学习和参考之用。

运行环境为Centos7 X86_64。



2.安装docker

#安装docker 17.03.0 
#安装docker依赖三个yum源:Base,Extras,docker-ce
[root@localhost ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

#重新生成yum缓存
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache

#安装docker所需依赖包
[root@localhost ~]# yum -y install https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.0.ce-1.el7.centos.noarch.rpm

#安装docker
[root@localhost ~]# yum -y install docker-ce-17.03.0.ce-1.el7.centos



3.配置镜像加速

[root@localhost ~]# mkdir /etc/docker
[root@localhost ~]# cat > /etc/docker/daemon.json<<EOF
> {
>   "registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"]
> }
> EOF

[root@localhost ~]# systemctl enable --now docker



4.准备容器环境

#拉取centos镜像
[root@localhost ~]# docker pull centos:centos7.9.2009

#运行容器
[root@localhost ~]# docker run -itd --name nginx centos:centos7.9.2009 
[root@localhost ~]# docker exec -it nginx /bin/bash
[root@308fdeaaa058 /]# yum -y install wget gcc make pcre-devel
[root@308fdeaaa058 /]# cd
[root@308fdeaaa058 ~]# wget http://nginx.org/download/nginx-1.20.1.tar.gz
[root@308fdeaaa058 ~]# tar xf nginx-1.20.1.tar.gz



5.编译nginx

下载gmssl_openssl_1.1_b8.tar.gz与nginx(参见资源与下载),然后编译。

[root@308fdeaaa058 ~]# exit
[root@localhost ~]# ls
anaconda-ks.cfg  gmssl_openssl_1.1_b8.tar.gz

#把下载好的gmssl包拷贝到容器里
[root@localhost ~]# docker cp gmssl_openssl_1.1_b8.tar.gz nginx:/root/
[root@localhost ~]# docker exec -it nginx /bin/bash
[root@308fdeaaa058 /]# cd
[root@308fdeaaa058 ~]# tar xf gmssl_openssl_1.1_b8.tar.gz -C /usr/local/
[root@308fdeaaa058 ~]# cd nginx-1.20.1
[root@308fdeaaa058 nginx-1.20.1]# vi auto/lib/openssl/conf
#将将全部$OPENSSL/.openssl/修改为$OPENSSL/并保存

#编译配置
[root@308fdeaaa058 nginx-1.20.1]# ./configure \
> --without-http_gzip_module \
> --with-http_ssl_module \
> --with-http_stub_status_module \
> --with-http_v2_module \
> --with-file-aio \
> --with-openssl="/usr/local/gmssl" \
> --with-cc-opt="-I/usr/local/gmssl/include" \
> --with-ld-opt="-lm"

[root@308fdeaaa058 nginx-1.20.1]# make install
[root@308fdeaaa058 nginx-1.20.1]# ln -s /usr/local/nginx/sbin/nginx /usr/sbin/

#创建证书和子配置文件目录
[root@308fdeaaa058 nginx-1.20.1]# cd /usr/local/nginx/conf/
[root@308fdeaaa058 conf]# vi nginx.conf
include /usr/local/nginx/conf/conf.d/*.conf;  #将此条添加到http里

[root@308fdeaaa058 conf]# mkdir ssl
[root@308fdeaaa058 conf]# mkdir conf.d
[root@308fdeaaa058 conf]# exit



6.制作镜像

#编译好的容器,打包成镜像
[root@localhost ~]# docker commit nginx nginx
sha256:742fe82c7114f8272883f3f6a528fc62498cd5044b5ef942acd0bb4014a03467
[root@localhost ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              742fe82c7114        8 seconds ago       489 MB
centos              centos7.9.2009      8652b9f0cb4c        9 months ago        204 MB

#编写Dockerfile
[root@localhost ~]# vim Dockerfile
[root@localhost ~]# cat Dockerfile
FROM nginx
LABEL version="1.0"
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]

#制作镜像
[root@localhost ~]# docker build -t "gmssl_nginx" .
Sending build context to Docker daemon 6.277 MB
Step 1/4 : FROM nginx
 ---> 742fe82c7114
Step 2/4 : LABEL version "1.0"
 ---> Running in efef92a82f76
 ---> b4305df3867a
Removing intermediate container efef92a82f76
Step 3/4 : EXPOSE 80 443
 ---> Running in c7addc9e5623
 ---> 63050d82a45a
Removing intermediate container c7addc9e5623
Step 4/4 : CMD nginx -g daemon off;
 ---> Running in ed1b4c9789c8
 ---> 8dfbfa5182f9
Removing intermediate container ed1b4c9789c8
Successfully built 8dfbfa5182f9
[root@localhost ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
gmssl_nginx         latest              8dfbfa5182f9        About a minute ago   489 MB
nginx               latest              742fe82c7114        4 minutes ago        489 MB
centos              centos7.9.2009      8652b9f0cb4c        9 months ago         204 MB



7.启动容器

生成国密双证书(参见资源与下载)并配置nginx。

#配置目录
[root@localhost ~]# cd conf.d/
[root@localhost conf.d]# cat ssl.conf 
server
{
  listen 0.0.0.0:443 ssl;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
  ssl_verify_client off;

  ssl_certificate /usr/local/nginx/conf/ssl/sm2.test.c.sig.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.test.c.sig.key.pem;

  ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.test.c.enc.key.pem;
  ssl_certificate /usr/local/nginx/conf/ssl/sm2.test.c.enc.crt.pem;

  location /
  {
    root html;
    index index.html index.htm;
  }
}

[root@localhost conf.d]# cd

#证书目录
[root@localhost ~]# cd sm2.test.c/
[root@localhost sm2.test.c]# ls
password.txt  sm2.rca.pem          sm2.test.c.enc.cer      sm2.test.c.enc.key              sm2.test.c.enc.key.crypted.bin  sm2.test.c.enc.key.pem  sm2.test.c.sig.cer      sm2.test.c.sig.key     sm2.test.c.sig.key.pem
sm2.oca.pem   sm2.test.c.both.pfx  sm2.test.c.enc.crt.pem  sm2.test.c.enc.key.crypted.b64  sm2.test.c.enc.key.p8           sm2.test.c.enc.pfx      sm2.test.c.sig.crt.pem  sm2.test.c.sig.key.p8  sm2.test.c.sig.pfx
[root@localhost sm2.test.c]# cd

#启动容器
[root@localhost ~]# docker run -itd -p 443:443 -v /root/sm2.test.c/:/usr/local/nginx/conf/ssl/ -v /root/conf.d/:/usr/local/nginx/conf/conf.d --name gmssl_nginx gmssl_nginx
[root@localhost ~]# docker logs -f gmssl_nginx 
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!



8.使用国密浏览器访问

下载奇安信国密浏览器(参见资源与下载) 。

导入国密根证书:打开浏览器>设置>高级设置>证书管理>导入证书。导入证书链

修改本地解析:C:\Windows\System32\drivers\etc\hosts 。hosts文件中加入解析地址

打开浏览器访问

在这里插入图片描述



9.完整的Dockerfile

容器已上传dockerhub(参见资源与下载) 。

[root@localhost nginx]# ls
Dockerfile  gmssl_openssl_1.1_b8.tar.gz  nginx-1.20.1.tar.gz
[root@localhost nginx]# cat Dockerfile 
FROM centos:centos7.9.2009    #基于centos7.9.2009镜像
RUN yum install -y gcc make pcre-devel    #安装依赖环境包
ADD nginx-1.20.1.tar.gz /root/     #将源码复制到指定目录,并解压
ADD gmssl_openssl_1.1_b8.tar.gz /usr/local/
WORKDIR /root/nginx-1.20.1/    #为下面的指令指定执行目录
RUN sed -in "s/\.openssl\///g" auto/lib/openssl/conf && \
 ./configure --without-http_gzip_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-file-aio --with-openssl="/usr/local/gmssl" --with-cc-opt="-I/usr/local/gmssl/include" --with-ld-opt="-lm" && \
 make install && \
 mkdir /usr/local/nginx/conf/conf.d && \
 mkdir /usr/local/nginx/conf/ssl && \
 sed -i '$i  \    include /usr/local/nginx/conf/conf.d/*.conf;' /usr/local/nginx/conf/nginx.conf
EXPOSE 80 443       #声明暴露端口
VOLUME ["/usr/local/nginx/conf/conf.d/","/usr/local/nginx/conf/ssl/"]     #指定挂载点
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"]     #为了保持nginx的容器不退出,关闭nginx后台运行

[root@localhost nginx]# docker build -t gmssl_nginx:v1 .    #使用当前目录下的文件构建标签gmssl_nginx:v0的镜像



10.资源与下载

1)国密版OpenSSL下载:


https://gmssl.cn/gmssl/down/gmssl_openssl_1.1_b8.tar.gz

2)Nginx最新版下载:


http://nginx.org/download/nginx-1.20.1.tar.gz

3)国密双证书生成:


https://www.gmssl.cn/gmssl/index.jsp?go=CA

4)奇安信国密浏览器下载:


https://gmssl.cn/gmssl/down/qaxbrowser_1.1.41702.52.exe

5)国密Nginx容器下载:

docker pull keyaas2021/gmssl_nginx:v1.0



版权声明:本文为Geor_ge_原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。