国密Nginx容器实战
1.背景
目前国密SSL(TLCP)已经逐步开始推广并实际使用,国密SSL实验室(www.gmssl.cn)提供了国密版OpenSSL,并且可以与Nginx集成,可以比较方便的搭建国密SSL反向代理或者国密SSL服务器。
国密SSL实验室并没有提供Docker的样例,考虑到Docker的广泛性,本文描述了在Docker里面部署国密SSL的Nginx的的完整构建过程,仅供学习和参考之用。
运行环境为Centos7 X86_64。
2.安装docker
#安装docker 17.03.0
#安装docker依赖三个yum源:Base,Extras,docker-ce
[root@localhost ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#重新生成yum缓存
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
#安装docker所需依赖包
[root@localhost ~]# yum -y install https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.0.ce-1.el7.centos.noarch.rpm
#安装docker
[root@localhost ~]# yum -y install docker-ce-17.03.0.ce-1.el7.centos
3.配置镜像加速
[root@localhost ~]# mkdir /etc/docker
[root@localhost ~]# cat > /etc/docker/daemon.json<<EOF
> {
> "registry-mirrors": ["https://si7y70hh.mirror.aliyuncs.com"]
> }
> EOF
[root@localhost ~]# systemctl enable --now docker
4.准备容器环境
#拉取centos镜像
[root@localhost ~]# docker pull centos:centos7.9.2009
#运行容器
[root@localhost ~]# docker run -itd --name nginx centos:centos7.9.2009
[root@localhost ~]# docker exec -it nginx /bin/bash
[root@308fdeaaa058 /]# yum -y install wget gcc make pcre-devel
[root@308fdeaaa058 /]# cd
[root@308fdeaaa058 ~]# wget http://nginx.org/download/nginx-1.20.1.tar.gz
[root@308fdeaaa058 ~]# tar xf nginx-1.20.1.tar.gz
5.编译nginx
下载gmssl_openssl_1.1_b8.tar.gz与nginx(参见资源与下载),然后编译。
[root@308fdeaaa058 ~]# exit
[root@localhost ~]# ls
anaconda-ks.cfg gmssl_openssl_1.1_b8.tar.gz
#把下载好的gmssl包拷贝到容器里
[root@localhost ~]# docker cp gmssl_openssl_1.1_b8.tar.gz nginx:/root/
[root@localhost ~]# docker exec -it nginx /bin/bash
[root@308fdeaaa058 /]# cd
[root@308fdeaaa058 ~]# tar xf gmssl_openssl_1.1_b8.tar.gz -C /usr/local/
[root@308fdeaaa058 ~]# cd nginx-1.20.1
[root@308fdeaaa058 nginx-1.20.1]# vi auto/lib/openssl/conf
#将将全部$OPENSSL/.openssl/修改为$OPENSSL/并保存
#编译配置
[root@308fdeaaa058 nginx-1.20.1]# ./configure \
> --without-http_gzip_module \
> --with-http_ssl_module \
> --with-http_stub_status_module \
> --with-http_v2_module \
> --with-file-aio \
> --with-openssl="/usr/local/gmssl" \
> --with-cc-opt="-I/usr/local/gmssl/include" \
> --with-ld-opt="-lm"
[root@308fdeaaa058 nginx-1.20.1]# make install
[root@308fdeaaa058 nginx-1.20.1]# ln -s /usr/local/nginx/sbin/nginx /usr/sbin/
#创建证书和子配置文件目录
[root@308fdeaaa058 nginx-1.20.1]# cd /usr/local/nginx/conf/
[root@308fdeaaa058 conf]# vi nginx.conf
include /usr/local/nginx/conf/conf.d/*.conf; #将此条添加到http里
[root@308fdeaaa058 conf]# mkdir ssl
[root@308fdeaaa058 conf]# mkdir conf.d
[root@308fdeaaa058 conf]# exit
6.制作镜像
#编译好的容器,打包成镜像
[root@localhost ~]# docker commit nginx nginx
sha256:742fe82c7114f8272883f3f6a528fc62498cd5044b5ef942acd0bb4014a03467
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest 742fe82c7114 8 seconds ago 489 MB
centos centos7.9.2009 8652b9f0cb4c 9 months ago 204 MB
#编写Dockerfile
[root@localhost ~]# vim Dockerfile
[root@localhost ~]# cat Dockerfile
FROM nginx
LABEL version="1.0"
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
#制作镜像
[root@localhost ~]# docker build -t "gmssl_nginx" .
Sending build context to Docker daemon 6.277 MB
Step 1/4 : FROM nginx
---> 742fe82c7114
Step 2/4 : LABEL version "1.0"
---> Running in efef92a82f76
---> b4305df3867a
Removing intermediate container efef92a82f76
Step 3/4 : EXPOSE 80 443
---> Running in c7addc9e5623
---> 63050d82a45a
Removing intermediate container c7addc9e5623
Step 4/4 : CMD nginx -g daemon off;
---> Running in ed1b4c9789c8
---> 8dfbfa5182f9
Removing intermediate container ed1b4c9789c8
Successfully built 8dfbfa5182f9
[root@localhost ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
gmssl_nginx latest 8dfbfa5182f9 About a minute ago 489 MB
nginx latest 742fe82c7114 4 minutes ago 489 MB
centos centos7.9.2009 8652b9f0cb4c 9 months ago 204 MB
7.启动容器
生成国密双证书(参见资源与下载)并配置nginx。
#配置目录
[root@localhost ~]# cd conf.d/
[root@localhost conf.d]# cat ssl.conf
server
{
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;
ssl_certificate /usr/local/nginx/conf/ssl/sm2.test.c.sig.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.test.c.sig.key.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/sm2.test.c.enc.key.pem;
ssl_certificate /usr/local/nginx/conf/ssl/sm2.test.c.enc.crt.pem;
location /
{
root html;
index index.html index.htm;
}
}
[root@localhost conf.d]# cd
#证书目录
[root@localhost ~]# cd sm2.test.c/
[root@localhost sm2.test.c]# ls
password.txt sm2.rca.pem sm2.test.c.enc.cer sm2.test.c.enc.key sm2.test.c.enc.key.crypted.bin sm2.test.c.enc.key.pem sm2.test.c.sig.cer sm2.test.c.sig.key sm2.test.c.sig.key.pem
sm2.oca.pem sm2.test.c.both.pfx sm2.test.c.enc.crt.pem sm2.test.c.enc.key.crypted.b64 sm2.test.c.enc.key.p8 sm2.test.c.enc.pfx sm2.test.c.sig.crt.pem sm2.test.c.sig.key.p8 sm2.test.c.sig.pfx
[root@localhost sm2.test.c]# cd
#启动容器
[root@localhost ~]# docker run -itd -p 443:443 -v /root/sm2.test.c/:/usr/local/nginx/conf/ssl/ -v /root/conf.d/:/usr/local/nginx/conf/conf.d --name gmssl_nginx gmssl_nginx
[root@localhost ~]# docker logs -f gmssl_nginx
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version) by www.gmssl.cn. Test Only!!!
8.使用国密浏览器访问
下载奇安信国密浏览器(参见资源与下载) 。
导入国密根证书:打开浏览器>设置>高级设置>证书管理>导入证书。导入证书链
修改本地解析:C:\Windows\System32\drivers\etc\hosts 。hosts文件中加入解析地址
打开浏览器访问
9.完整的Dockerfile
容器已上传dockerhub(参见资源与下载) 。
[root@localhost nginx]# ls
Dockerfile gmssl_openssl_1.1_b8.tar.gz nginx-1.20.1.tar.gz
[root@localhost nginx]# cat Dockerfile
FROM centos:centos7.9.2009 #基于centos7.9.2009镜像
RUN yum install -y gcc make pcre-devel #安装依赖环境包
ADD nginx-1.20.1.tar.gz /root/ #将源码复制到指定目录,并解压
ADD gmssl_openssl_1.1_b8.tar.gz /usr/local/
WORKDIR /root/nginx-1.20.1/ #为下面的指令指定执行目录
RUN sed -in "s/\.openssl\///g" auto/lib/openssl/conf && \
./configure --without-http_gzip_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-file-aio --with-openssl="/usr/local/gmssl" --with-cc-opt="-I/usr/local/gmssl/include" --with-ld-opt="-lm" && \
make install && \
mkdir /usr/local/nginx/conf/conf.d && \
mkdir /usr/local/nginx/conf/ssl && \
sed -i '$i \ include /usr/local/nginx/conf/conf.d/*.conf;' /usr/local/nginx/conf/nginx.conf
EXPOSE 80 443 #声明暴露端口
VOLUME ["/usr/local/nginx/conf/conf.d/","/usr/local/nginx/conf/ssl/"] #指定挂载点
CMD ["/usr/local/nginx/sbin/nginx","-g","daemon off;"] #为了保持nginx的容器不退出,关闭nginx后台运行
[root@localhost nginx]# docker build -t gmssl_nginx:v1 . #使用当前目录下的文件构建标签gmssl_nginx:v0的镜像
10.资源与下载
1)国密版OpenSSL下载:
https://gmssl.cn/gmssl/down/gmssl_openssl_1.1_b8.tar.gz
2)Nginx最新版下载:
http://nginx.org/download/nginx-1.20.1.tar.gz
3)国密双证书生成:
https://www.gmssl.cn/gmssl/index.jsp?go=CA
4)奇安信国密浏览器下载:
https://gmssl.cn/gmssl/down/qaxbrowser_1.1.41702.52.exe
5)国密Nginx容器下载:
docker pull keyaas2021/gmssl_nginx:v1.0