1. 环境说明
HTTPS 国密证书配置在JumpServer前端的Nginx服务器,用户通过本地的国密支持的浏览器访问到Nginx服务器,此链路为国密HTTPS加密链路,Nginx服务器进行HTTPS解密,并将访问请求转发到后端的JumpServer服务器。
GMSSL提供一个国密版OpenSSL,支持Nginx,支持单向/双向认证,支持标准SSL/国密SSL自适应。 国密OpenSSL库基于OpenSSL实现,OpenSSL的许可协议是Apache License V2.0。
2.下载组件
Nginx: Nginx官网下载稳定版 https://nginx.org/download/nginx-1.20.2.tar.gz
Open SSL: GMSSL国密实验室 https://www.gmssl.cn/gmssl/Tool_Down?File=gmssl_openssl_1.1_b4.tar.gz
加密证书: 访问GMSSL - 国密SSL实验室申请,填写相关信息后,点击“提交”,便自动下载所有证书。
3.Nginx编译安装
- 下载gmssl_openssl_1.1_b4.tar.gz到/root/下
- 解压
tar -zxvf gmssl_openssl_1.1_b4.tar.gz -C /usr/local - 下载nginx-1.20.2.tar.gz到/root/下
- 解压
tar -zxvf nginx-1.20.2.tar.gz - 进入目录
cd /root/nginx-1.20.0 - 编辑auto/lib/openssl/conf,将全部
OPENSSL/并保存
- 编译配置
./configure
--without-http_gzip_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_v2_module
--with-file-aio
--with-openssl="/usr/local/gmssl"
--with-cc-opt="-I/usr/local/gmssl/include"
--with-ld-opt="-lm"- 编译安装
make && make install - /usr/local/nginx即为生成的nginx目录
注:可能需要使用
yum install pcre-devel gcc-c gcc需要安装pcre-devel、gcc
4.配置示例
国密单向
代码语言:javascript复制server
{
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;
location /
{
proxy_pass http://192.168.186.130; #192.168.186.130为jumpserver地址
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}国密双向
代码语言:javascript复制server
{
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_client_certificate /usr/local/nginx/conf/demo1.sm2.trust;
ssl_verify_client on;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;
location /
{
proxy_pass http://192.168.186.130; #192.168.186.130为jumpserver地址
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}国密/RSA单向自适应
代码语言:javascript复制server
{
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;
ssl_certificate /usr/local/nginx/conf/demo1.rsa.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.rsa.key.pem;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;
ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;
ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;
location /
{
proxy_pass http://192.168.186.130; #192.168.186.130为jumpserver地址
proxy_http_version 1.1;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}5.访问验证
使用浏览器访问Nginx服务的URL —https://192.168.186.147
浏览器需支持国密SSL协议,如360安全浏览器、奇安信可信浏览器、密信浏览器;
以360安全浏览器为例,需在设置中打开“启用国密SSL协议支持”
点击证书显示:您与192.168.186.147之间连接采用国密加密套件进行了加密。则配置成功。
