国密Nginx容器实战一、背景目前,国密SSL(TLCP)已经逐渐开始推广和实际使用。国密SSL实验室(www.gmssl.cn)提供国密版OpenSSL,并可与Nginx集成,更方便搭建国密SSL反向代理或国密SSL服务器。国密SSL实验室不提供Docker示例。考虑到Docker的广泛性,本文介绍在Docker中部署国密SSLNginx的完整搭建过程,仅供学习参考。运行环境为Centos7X86_64。2.安装docker#installdocker17.03.0#安装docker依赖三个yum源:Base、Extras、docker-ce[root@localhost~]#wget-O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo[root@localhost~]#wget-O/etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo[root@localhost~]#wget-O/etc/yum.repos.d/docker-ce.repohttps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo#重新生成yumcache[root@localhost~]#yumcleanall[root@localhost~]#yummakecache#安装docker所需依赖[root@localhost~]#yum-yinstallhttps://mirrors.aliyun。com/docker-ce/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.0.ce-1.el7.centos.noarch.rpm#installdocker[root@localhost~]#yum-y安装docker-ce-17.03.0.ce-1.el7.centos3。配置镜像加速[root@localhost~]#mkdir/etc/docker[root@localhost~]#cat>/etc/docker/daemon.json<{>"registry-mirrors":["https://si7y70hh.mirror.aliyuncs.com"]>}>EOF[root@localhost~]#systemctlenable--now码头工人4。准备容器环境#拉取centos镜像[root@localhost~]#dockerpullcentos:centos7.9.2009#运行容器[root@localhost~]#dockerrun-itd--namenginxcentos:centos7.9.2009[root@localhost~]#dockerexec-itnginx/bin/bash[root@308fdeaaa058/]#yum-yinstallwgetgccmakepcre-devel[root@308fdeaaa058~]#wgethttp://nginx.org/download/nginx-1.20.1.tar.gz[root@308fdeaaa058~]#tarxfnginx-1.20.1.tar.gz5.编译nginx下载gmssl_openssl_1.1_b4.tar.gz和nginx(看资源下载),然后编译[root@308fdeaaa058~]#exit[root@localhost~]#lsanaconda-ks.cfggmssl_openssl_1.1_b4.tar.gz#将下载的gmssl包复制到容器中[root@localhost~]#dockercpgmssl_openssl_1.1_b4.tar.gznginx:/root/[root@localhost~]#dockerexec-itnginx/bin/bash[root@308fdeaaa058/]#cd[root@308fdeaaa058~]#tarxfgmssl_openssl_1.1_b4.tar.gz-C/usr/local/[root@308fdeaaa058~]#cdnginx-1.20.1[root@308fdeaaa058nginx-1.20.1]#viauto/lib/openssl/conf#将所有的$OPENSSL/.openssl/修改为$OPENSSL/并保存#编译配置[root@308fdeaaa058nginx-1.20.1]#./configure\>--without-http_gzip_module\>--with-http_ssl_module\>--with-http_stub_status_module\>--with-http_v2_module\>--with-file-aio\>--with-openssl="/usr/local/gmssl"\>--with-cc-opt="-I/usr/local/gmssl/include"\>--with-ld-opt="-lm"[root@308fdeaaa058nginx-1.20.1]#makeinstall[root@308fdeaaa058nginx-1.20.1]#ln-s/usr/local/nginx/sbin/nginx/usr/sbin/#创建证书和子配置文件目录[root@308fdeaaa058nginx-1.20.1]#cd/usr/local/nginx/conf/[root@308fdeaaa058conf]#vinginx.confinclude/usr/local/nginx/conf/conf.d/*.conf;#Addthisitemtohttp[root@308fdeaaa058conf]#mkdirssl[root@308fdeaaa058conf]#mkdirconf.d[root@308fdeaaa058conf]#exit6.制作镜像#编辑好的控件,打包成镜像[root@localhost~]#dockercommitnginxnginxsha256:742fe82c7114f8272883f3f6a528fc62498cd5044b5ef942acd0bb4014a03467[root@localhost~]#dockerimagesREPOSITORYTAGIMAGEIDCREATEDSIZEnginxlatest742fe82c71148secondsago489MBcentoscentos7.9.20098652b9f0cb4c9monthsago204MB#编写Dockerfile[root@localhost~]#vimDockerfile[root@localhost~]#catDockerfileFROMnginxLABELversion="1.0"EXPOSE80443CMD["nginx","-g","daemonoff;"]#Makeimage[root@localhost~]#dockerbuild-t"gmssl_nginx”。将构建上下文发送到Docker守护进程6.277MBStep1/4:FROMnginx--->742fe82c7114Step2/4:LABELversion"1.0"--->在efef92a82f76中运行--->b4305df3867a删除中间容器efef92a82f76Step3/4:EXPOSE80443--->在c7addc9e5623中运行--->63050d82a45a删除中间容器c7addc9e5623Step4/4-gCMDngin离开;--->在ED1B4C9789C8中运行---->8DFBFA5182F9REMEMOVINGINTERMIDIADECONTRATERED1B4C9789C8SUCCESSUCCESSUCCESSCOSSCOSSCOSCESSucccessof8dfbfa5182f9[root@lot@lote@localhost?]9.20098652b9f0cb4c9个月前204MB7。启动容器生成国密双证书(见资源下载)并配置nginx#配置目录[root@localhost~]#cdconf.d/[root@localhostconf.d]#catssl.confserver{listen0.0.0.0:443ssl;ssl_protocolsTLSv1TLSv1.1TLSv1.2;ssl_ciphersECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;ssl_verify_client关闭;ssl_certificate/usr/local/nginx/conf/ssl/sm2.test.c.sig.crt.pem;ssl_certificate_key/usr/local/nginx/conf/ssl/sm2.test.c.sig.key.pem;ssl_certificate_key/usr/local/nginx/conf/ssl/sm2.test.c.enc.key.pem;ssl_certificate/usr/local/nginx/conf/ssl/sm2.test.c.enc.crt.pem;位置/{根html;indexindex.htmlindex.htm;}}[root@localhostconf.d]#cd#证书目录[root@localhost~]#cdsm2.test.c/[root@localhostsm2.test.c]#lspassword.txtsm2.rca.pemsm2.test.c.enc.cersm2.test.c.enc.keysm2.test.c.enc.key.crypted.binsm2.test.c.enc.key.pemsm2.test.c.sig.cersm2.test.c.sig.keysm2.test.c.sig.key.pemsm2.oca.pemsm2.test.c.both.pfxsm2.test.c.enc.crt.pemsm2.test.c.enc.key.crypted.b64sm2.test.c.enc.key.p8sm2.test.c.enc.pfxsm2.test.c.sig.crt.pemsm2.test.c.sig.key.p8sm2.test.c.sig.pfx[root@localhostsm2.test.c]#cd#启动容器[root@localhost~]#dockerrun-itd-p443:443-v/root/sm2.test.c/:/usr/local/nginx/conf/ssl/-v/root/conf.d/:/usr/local/nginx/conf/conf.d--namegmssl_nginxgmssl_nginx[root@localhost~]#dockerlogs-fgmssl_nginxOpenSSL(GM版)bywww.gmssl.cn。仅供测试!!!OpenSSL(GM版)bywww.gmssl.cn。仅供测试!!!www.gmssl.cn的OpenSSL(GM版)。仅供测试!!!OpenSSL(GM版)bywww.gmssl.cn。仅测试!!!8。使用国密浏览器访问下载奇安信国密浏览器(见资源和下载)导入中集根证书:打开浏览器>设置>高级设置>证书管理>导入证书。导入证书链修改本地解析:C:\Windows\System32\drivers\etc\hosts。将解析后的地址添加到hosts文件中,打开浏览器访问9.完整的Dockerfile容器已经上传到dockerhub(参见资源和下载)。[root@localhostnginx]#lsDockerfilegmssl_openssl_1.1_b4.tar.gznginx-1.20.1.tar.gz[root@localhostnginx]#catDockerfileFROMcentos:centos7.9.2009#basedoncentos7.9.2009mirrorRUNyuminstall-ygccmakepcre-devel#安装依赖环境包ADDnginx-1.20.1.tar.gz/root/#复制源码到指定目录,并解压ADDgmssl_openssl_1.1_b4.tar.gz/usr/local/WORKDIR/root/nginx-1.20.1/#指定以下指令的执行目录RUNsed-in"s/\.openssl\///g"auto/lib/openssl/conf&&\./configure--without-http_gzip_module--with-http_ssl_module--with-http_stub_status_module--with-http_v2_module--with-file-aio--with-openssl="/usr/local/gmssl"--with-cc-opt="-I/usr/local/gmssl/include"--with-ld-opt="-lm"&&\makeinstall&&\mkdir/usr/local/nginx/conf/conf.d&&\mkdir/usr/local/nginx/conf/ssl&&\sed-i'$i\include/usr/local/nginx/conf/conf.d/*.conf;'/usr/local/nginx/conf/nginx.confEXPOSE80443#声明暴露端口VOLUME["/usr/local/nginx/conf/conf.d/","/usr/local/nginx/conf/ssl/"]#指定挂载点CMD["/usr/local/nginx/sbin/nginx","-g","daemonoff;"]#为了让nginx容器不退出,关闭nginx后台运行[root@localhostnginx]#dockerbuild-tgmssl_nginx:v1.#使用当前目录下的文件构建镜像,标签为gmssl_nginx:v010.资源与下载1)国密版本OpenSSL下载:https://www.gmssl.cn/gmssl/To...2)下载最新版Nginx:http://nginx.org/download/ngi...3)生成国密双证书:https://www.gmssl.cn/gmssl/in...4)奇安信果米浏览器下载:https://www.gmssl.cn/gmssl/To...5)果米Nginx容器下载:dockerpullkeyaas2021/gmssl_nginx:v1.0
