国密docker容器实战

Updated on with 0 views and 0 comments

网上大部分国密教程都是基于国密SSL实验室(www.gmssl.cn)提供的国密版OpenSSL,可以与Nginx集成。

但是其声明了 https://gmssl.cn/gmssl/index.jsp 每年年底会自动退出,因此采用Tengine+BabaSSl(https://www.babassl.cn/2022/01/11/BabaSSL-plus-Tengine.html),阿里系来构建国密应用,均为开源,没有限制。(Tengine是阿里维护的nginx,完全兼容nginx语法)

限制

  1. 免费版本每年年底失效,程序会自动退出,需更新库,重新链接。请勿用于正式/生产环境,后果自负。
  2. 需要正式版本请与我们联系。
  • 软件版本,可实现国密/RSA自适应

debian 11.3

tengine:2.3.3

babassl8.3.1

arm64 架构

构建镜像

拉取debian镜像

root@arm-64:~# docker pull debian:11.3

准备容器

root@arm-64:~# docker run -itd --name tengine -p 81:80 -p 442:443 debian:11.3
# 利用腾讯的debian源,把准备好的list移入容器内替换
root@arm-64:~# docker cp /root/sources.list tengine:/etc/apt

sources.list 内容(debian 11)

deb http://mirrors.cloud.tencent.com/debian bullseye main contrib non-free
deb http://mirrors.cloud.tencent.com/debian bullseye-updates main contrib non-free
deb http://mirrors.cloud.tencent.com/debian-security bullseye-security main contrib non-free
deb http://mirrors.cloud.tencent.com/debian bullseye-backports main contrib non-free
deb http://mirrors.cloud.tencent.com/debian bullseye-proposed-updates main contrib non-free

进入容器后,下载编译依赖、下载Tengine、BabaSSL

最新版本可参考 https://github.com/alibaba/tengine/blob/master/modules/ngx_openssl_ntls/README.md

root@arm-64:~# docker exec -it tengine bash
root@5ad877a818c2:/# cd
root@5ad877a818c2:~# apt update
root@5ad877a818c2:~# apt upgrade -y
# vim 是为了方便

root@5ad877a818c2:~# apt -y install wget gcc make libpcre3 libpcre3-dev zlib1g-dev git vim

# 下载tengine

root@5ad877a818c2:~# git clone https://github.com/alibaba/tengine.git

# 下载babassl https://github.com/BabaSSL/BabaSSL/releases

root@5ad877a818c2:~# wget https://github.com/BabaSSL/BabaSSL/archive/refs/tags/8.3.1.tar.gz
root@5ad877a818c2:~# tar xf 8.3.1.tar.gz

编译Tengine

root@5ad877a818c2:~# cd tengine/
# 注意调整babassl位置,就是之前解压缩的地方

root@5ad877a818c2:~/tengine# ./configure --add-module=modules/ngx_openssl_ntls 
--with-openssl=/root/BabaSSL-8.3.1 
--with-openssl-opt="--strict-warnings enable-ntls" 
--with-http_ssl_module --with-stream 
--with-stream_ssl_module --with-stream_sni

root@5ad877a818c2:~/tengine# make
root@5ad877a818c2:~/tengine# make install

添加软连接

root@5ad877a818c2:~/tengine# ln -s /usr/local/nginx/sbin/nginx /usr/sbin/

创建证书和子配置文件目录

root@5ad877a818c2:~/tengine cd /usr/local/nginx/conf/
root@5ad877a818c2:~/tengine vim nginx.conf
# include /usr/local/nginx/conf/conf.d/*.conf;  #将此条添加到http里

root@5ad877a818c2:/usr/local/nginx/conf# mkdir cert #证书目录
root@5ad877a818c2:/usr/local/nginx/conf# mkdir conf.d #子配置文件目录
root@5ad877a818c2:/usr/local/nginx/conf# exit

制作镜像

#编译好的容器,打包成镜像
root@arm-64:~# docker commit tengine tengine_babassl:2.3.3_8.3.1
#sha256:53951802fa9de8e0c92721d84e1a7040d8504f439d65d12f36552db5e4cdc53c

#编写Dockerfile
root@arm-64:~# cd /opt
root@arm-64:/opt# mkdir tenginefile
root@arm-64:/opt# cd tenginefile/
root@arm-64:/opt/tenginefile# vim Dockerfile

FROM tengine_babassl:2.3.3_8.3.1
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]

#制作镜像
root@arm-64:/opt/tenginefile# docker build -t "tengine_babassl:2.3.3_8.3.1_v1" .

#随便启动一次,把数据卷的配置弄出来
root@arm-64:/opt/tenginefile# docker run --name temp -itd -v tengine:/usr/local/nginx tengine_babassl:2.3.3_8.3.1_v1
root@arm-64:/opt/tenginefile# docker rm -f temp

配置ssl和放入证书

root@arm-64:/opt/tenginefile# cd /var/lib/docker/volumes/
root@arm-64:/var/lib/docker/volumes# cd tengine/_data/conf/cert/
#把以下文件拷入
rsa.dk.crt.pem  rsa.dk.key.pem  sm2.dk.enc.crt.pem  sm2.dk.enc.key.pem  sm2.dk.sig.crt.pem  sm2.dk.sig.key.pem

root@arm-64:/var/lib/docker/volumes/tengine/_data/conf/cert# cd ../conf.d/
root@arm-64:/var/lib/docker/volumes/tengine/_data/conf/conf.d# vim default.conf

编辑CONF文件

root@arm-64:/opt/tenginefile# cd /var/lib/docker/volumes/
root@arm-64:/var/lib/docker/volumes# cd tengine/_data/conf/cert/
#把以下文件拷入
rsa.dk.crt.pem  rsa.dk.key.pem  sm2.dk.enc.crt.pem  sm2.dk.enc.key.pem  sm2.dk.sig.crt.pem  sm2.dk.sig.key.pem

root@arm-64:/var/lib/docker/volumes/tengine/_data/conf/cert# cd ../conf.d/
root@arm-64:/var/lib/docker/volumes/tengine/_data/conf/conf.d# vim default.conf

#按以下编辑
 server
    {
        listen 443 ssl;
        server_name localhost;
        enable_ntls on;


        ssl_certificate /usr/local/nginx/conf/cert/rsa.dk.crt.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert/rsa.dk.key.pem;

        ssl_sign_certificate /usr/local/nginx/conf/cert/sm2.dk.sig.crt.pem;
        ssl_sign_certificate_key /usr/local/nginx/conf/cert/sm2.dk.sig.key.pem;

        ssl_enc_certificate /usr/local/nginx/conf/cert/sm2.dk.enc.crt.pem;
        ssl_enc_certificate_key /usr/local/nginx/conf/cert/sm2.dk.enc.key.pem;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

启动最终容器

root@arm-64:/var/lib/docker/volumes/tengine/_data/conf/conf.d# docker run --name tengine_sm --restart=always -itd -p 81:80 -p 442:443 -v tengine:/usr/local/nginx tengine_babassl:2.3.3_8.3.1_v1

此时,如果用支持国密的浏览器访问https,则显示国密支持

如果是使用chrome浏览器,则是rsa加密

资源地址
国密双证书生成:

https://www.gmssl.cn/gmssl/index.jsp?go=CA

奇安信国密浏览器下载:

https://www.gmssl.cn/gmssl/Tool_Down?File=qaxbrowser_1.1.32574.52_gmssl.exe

标题:国密docker容器实战
作者:woyehua
地址:https://blog.stormbirds.cn/articles/2022/12/13/1670940694972.html