nginx配置支持国密
[TOC]
- 本次环境:nginx1.25.2、openssl1.1.1l、gmssl_openssl_1.1_b8、centos7.6、腾讯云按量付费服务器、南京二区、开房防火墙22及443、2C-2G-50G
aaaaa
升级"openssl"
- 查看当前"openssl"版本。1.1.1以上支持国密算法,如果"openssl"高于该版本,则跳过升级"openssl"此步骤
[root@VM-16-11-centos openssl-1.1.1l]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@VM-16-11-centos openssl-1.1.1l]# - 安装"openssl"依赖
[root@VM-16-11-centos ~]# yum install -y wget gcc perl-core zlib-devel
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
os | 3.6 kB 00:00:00
updates | 2.9 kB 00:00:00
Package wget-1.14-18.el7_6.1.x86_64 already installed and latest version
Package gcc-4.8.5-44.el7.x86_64 already installed and latest version
Package zlib-devel-1.2.7-21.el7_9.x86_64 already installed and latest version
……………………忽略输出,出现以下输出即为正常安装……………………
Installed:
perl-core.x86_64 0:5.16.3-299.el7_9
Dependency Installed:
gdbm-devel.x86_64 0:1.10-8.el7 perl-Archive-Extract.noarch 1:0.68-3.el7 perl-Archive-Tar.noarch 0:1.92-3.el7 perl-B-Lint.noarch 0:1.17-3.el7
perl-CGI.noarch 0:3.63-4.el7 perl-CPAN.noarch 0:1.9800-299.el7_9 perl-CPAN-Meta.noarch 0:2.120921-5.el7 perl-CPAN-Meta-Requirements.noarch 0:2.122-7.el7
perl-CPAN-Meta-YAML.noarch 0:0.008-14.el7 perl-CPANPLUS.noarch 0:0.91.38-4.el7 perl-CPANPLUS-Dist-Build.noarch 0:0.70-3.el7 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7
perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-SQLite.x86_64 0:1.39-3.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-DBIx-Simple.noarch 0:1.35-7.el7
perl-DB_File.x86_64 0:1.830-6.el7 perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 perl-Digest-SHA.x86_64 1:5.85-4.el7
perl-Env.noarch 0:1.04-2.el7 perl-ExtUtils-CBuilder.noarch 1:0.28.2.6-299.el7_9 perl-ExtUtils-Embed.noarch 0:1.30-299.el7_9 perl-ExtUtils-Install.noarch 0:1.58-299.el7_9
perl-ExtUtils-MakeMaker.noarch 0:6.68-3.el7 perl-ExtUtils-Manifest.noarch 0:1.61-244.el7 perl-ExtUtils-ParseXS.noarch 1:3.18-3.el7 perl-FCGI.x86_64 1:0.74-8.el7
perl-File-CheckTree.noarch 0:4.42-3.el7 perl-File-Fetch.noarch 0:0.42-2.el7 perl-IO-Compress.noarch 0:2.061-2.el7 perl-IO-Zlib.noarch 1:1.10-299.el7_9
perl-IPC-Cmd.noarch 1:0.80-4.el7 perl-JSON-PP.noarch 0:2.27202-2.el7 perl-Locale-Codes.noarch 0:3.26-2.el7 perl-Locale-Maketext.noarch 0:1.23-3.el7
perl-Locale-Maketext-Simple.noarch 1:0.21-299.el7_9 perl-Log-Message.noarch 1:0.08-3.el7 perl-Log-Message-Simple.noarch 0:0.10-2.el7 perl-Module-Build.noarch 2:0.40.05-2.el7
perl-Module-CoreList.noarch 1:2.76.02-299.el7_9 perl-Module-Load.noarch 1:0.24-3.el7 perl-Module-Load-Conditional.noarch 0:0.54-3.el7 perl-Module-Loaded.noarch 1:0.08-299.el7_9
perl-Module-Metadata.noarch 0:1.000018-2.el7 perl-Module-Pluggable.noarch 1:4.8-3.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-Object-Accessor.noarch 1:0.42-299.el7_9
perl-Package-Constants.noarch 1:0.02-299.el7_9 perl-Params-Check.noarch 1:0.38-2.el7 perl-Parse-CPAN-Meta.noarch 1:1.4404-5.el7 perl-Perl-OSType.noarch 0:1.003-3.el7
perl-PlRPC.noarch 0:0.2020-14.el7 perl-Pod-Checker.noarch 0:1.60-2.el7 perl-Pod-LaTeX.noarch 0:0.61-2.el7 perl-Pod-Parser.noarch 0:1.61-2.el7
perl-Sys-Syslog.x86_64 0:0.33-3.el7 perl-Term-UI.noarch 0:0.36-2.el7 perl-Test-Simple.noarch 0:0.98-243.el7 perl-Text-Soundex.x86_64 0:3.04-4.el7
perl-Text-Unidecode.noarch 0:0.04-20.el7 perl-Time-Piece.x86_64 0:1.20.1-299.el7_9 perl-Version-Requirements.noarch 0:0.101022-244.el7 perl-autodie.noarch 0:2.16-2.el7
perl-devel.x86_64 4:5.16.3-299.el7_9 perl-local-lib.noarch 0:1.008010-4.el7 perl-version.x86_64 3:0.99.07-6.el7 pyparsing.noarch 0:1.5.6-9.el7
systemtap-sdt-devel.x86_64 0:4.0-13.el7
Complete!- 安装openssl
[root@VM-16-11-centos ~]# wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz --no-check-certificate
--2023-08-20 20:40:03-- https://www.openssl.org/source/openssl-1.1.1l.tar.gz
Resolving www.openssl.org (www.openssl.org)... 2.17.62.8, 2600:1417:76:687::c1e, 2600:1417:76:685::c1e, ...
Connecting to www.openssl.org (www.openssl.org)|2.17.62.8|:443... connected.
WARNING: cannot verify www.openssl.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
Issued certificate has expired.
HTTP request sent, awaiting response... 200 OK
Length: 9834044 (9.4M) [application/x-gzip]
Saving to: ‘openssl-1.1.1l.tar.gz’
100%[=======================================================================================================================================================================================================>] 9,834,044 2.42MB/s in 4.2s
2023-08-20 20:40:08 (2.23 MB/s) - ‘openssl-1.1.1l.tar.gz’ saved [9834044/9834044]
[root@VM-16-11-centos ~]# tar xf openssl-1.1.1l.tar.gz
[root@VM-16-11-centos ~]# cd openssl-1.1.1l/
[root@VM-16-11-centos openssl-1.1.1l]# ./config --prefix=/usr/local/ssl
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1l (0x101010cfL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
[root@VM-16-11-centos openssl-1.1.1l]# make
……………………忽略输出,出现以下输出即为正常安装……………………
rm -f test/x509aux
${LDCMD:-gcc} -pthread -m64 -Wa,--noexecstack -Wall -O3 -L. \
-o test/x509aux test/x509aux.o \
test/libtestutil.a -lcrypto -ldl -pthread
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" apps/CA.pl.in > "apps/CA.pl"
chmod a+x apps/CA.pl
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" apps/tsget.in > "apps/tsget.pl"
chmod a+x apps/tsget.pl
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" tools/c_rehash.in > "tools/c_rehash"
chmod a+x tools/c_rehash
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \
"-oMakefile" util/shlib_wrap.sh.in > "util/shlib_wrap.sh"
chmod a+x util/shlib_wrap.sh
make[1]: Leaving directory `/root/openssl-1.1.1l'
[root@VM-16-11-centos openssl-1.1.1l]# make install
……………………忽略输出,出现以下输出即为正常安装……………………
/usr/local/ssl/share/doc/openssl/html/man7/X448.html -> /usr/local/ssl/share/doc/openssl/html/man7/X25519.html
/usr/local/ssl/share/doc/openssl/html/man7/bio.html
/usr/local/ssl/share/doc/openssl/html/man7/crypto.html
/usr/local/ssl/share/doc/openssl/html/man7/ct.html
/usr/local/ssl/share/doc/openssl/html/man7/des_modes.html
/usr/local/ssl/share/doc/openssl/html/man7/evp.html
/usr/local/ssl/share/doc/openssl/html/man7/ossl_store-file.html
/usr/local/ssl/share/doc/openssl/html/man7/ossl_store.html
/usr/local/ssl/share/doc/openssl/html/man7/passphrase-encoding.html
/usr/local/ssl/share/doc/openssl/html/man7/proxy-certificates.html
/usr/local/ssl/share/doc/openssl/html/man7/scrypt.html
/usr/local/ssl/share/doc/openssl/html/man7/ssl.html
/usr/local/ssl/share/doc/openssl/html/man7/x509.html- 更新ld库
[root@VM-16-11-centos openssl-1.1.1l]# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf.d/openssl-1.1.1l.conf
[root@VM-16-11-centos openssl-1.1.1l]# ldconfig
[root@VM-16-11-centos bin]# which openssl
/usr/bin/openssl
[root@VM-16-11-centos bin]# mv /usr/bin/openssl /usr/bin/openssl1.0.2k
[root@VM-16-11-centos bin]# ln -s /usr/local/ssl/bin/openssl /usr/bin/
[root@VM-16-11-centos bin]# openssl version
OpenSSL 1.1.1l 24 Aug 2021
[root@VM-16-11-centos bin]# 生成国密证书
- 生成私钥
[root@VM-16-11-centos ~]# mkdir ssl
[root@VM-16-11-centos ~]# cd ssl/
[root@VM-16-11-centos ssl]# ls
[root@VM-16-11-centos ssl]# openssl ecparam -genkey -name SM2 -out test.key
#ecparam: openssl ecparam子命令用于生成或操作椭圆曲线参数。
#-genkey: 这个选项告诉openssl ecparam命令生成一个新的密钥对。
#-name SM2: 这个选项指定要使用的椭圆曲线类型为SM2。SM2是一种国家密码算法标准,基于椭圆曲线密码体制,被广泛应用于中国的密码算法和应用场景中。
#-out: 输出文件。- 生成自签证书请求
[root@VM-16-11-centos ssl]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家
State or Province Name (full name) [Some-State]:CN #省
Locality Name (eg, city) []:CN #市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test #公司
Organizational Unit Name (eg, section) []:test #部门
Common Name (e.g. server FQDN or YOUR name) []:test #绑定服务器
Email Address []: #联系方式
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码,可以跳过
An optional company name []: #密码,可以跳过
#-key:私钥文件
#-out:输出文件- 生成生成自签名证书
[root@VM-16-11-centos ssl]# openssl x509 -req -in test.csr -signkey test.key -out test.pem
Signature ok
subject=C = CN, ST = CN, L = CN, O = test, OU = test, CN = test
Getting Private key
[root@VM-16-11-centos ssl]#
#-signkey:私钥文件
#-out:输出文件- 在/root/ssl/下应该有一个私钥文件.key、一个自签名请求.csr、一个自签名证书.pem
下载国密ssl支持
- 下载地址
- 解压国密ssl
[root@VM-16-11-centos ~]# tar xf gmssl_openssl_1.1_b8.tar.gz -C /usr/local/
[root@VM-16-11-centos ~]# 安装nginx
- 下载nginx安装包并解压
[root@VM-16-11-centos ~]# wget https://install.jishuliu.cn/nginx/nginx-1.25.2.tar.gz
--2023-08-20 20:59:59-- https://install.jishuliu.cn/nginx/nginx-1.25.2.tar.gz
Resolving install.jishuliu.cn (install.jishuliu.cn)... 159.75.57.36, 159.75.57.69
Connecting to install.jishuliu.cn (install.jishuliu.cn)|159.75.57.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1214903 (1.2M) [application/gzip]
Saving to: ‘nginx-1.25.2.tar.gz’
100%[=======================================================================================================================================================================================================>] 1,214,903 2.54MB/s in 0.5s
2023-08-20 21:00:00 (2.54 MB/s) - ‘nginx-1.25.2.tar.gz’ saved [1214903/1214903]
[root@VM-16-11-centos ~]# tar xf nginx-1.25.2.tar.gz
[root@VM-16-11-centos ~]# cd nginx-1.25.2/
[root@VM-16-11-centos nginx-1.25.2]# ls
auto CHANGES CHANGES.ru conf configure contrib html LICENSE man README src- 修改nginx下的文件,把nginx解压路径下的auto/lib/openssl/conf
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
以上修改为:
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"- 配置nginx
[root@VM-16-11-centos nginx-1.25.2]# ./configure --prefix=/usr/local/nginx --with-stream_ssl_module --without-http_gzip_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-file-aio --with-openssl="/usr/local/gmssl" --with-cc-opt="-I/usr/local/gmssl/include" --with-ld-opt="-lm" --with-openssl-opt=enable-ec_nistp_64_gcc_128
……………………忽略输出,出现以下输出即为正常安装……………………
Configuration summary
+ using system PCRE library
+ using OpenSSL library: /usr/local/gmssl
+ zlib library is not used
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp
#--prefix:安装路径
#--with-stream_ssl_module: 启用流模块的SSL功能,允许Nginx作为一个流(TCP和UDP)代理服务器,支持对SSL流量进行代理和转发。
#--without-http_gzip_module: 禁用HTTP Gzip模块,该模块用于压缩HTTP响应的内容以减小传输大小。
#--with-http_ssl_module: 启用HTTP SSL模块,允许Nginx提供基于SSL/TLS的安全HTTP连接。
#--with-http_stub_status_module: 启用HTTP Stub Status模块,该模块提供了一个简单的URI来获取关于Nginx当前状态的信息,如活动连接数、请求处理数等。
#--with-http_v2_module: 启用HTTP/2模块,允许Nginx通过HTTP/2协议与客户端进行通信,提供更高效的传输性能。
#--with-file-aio: 启用文件异步IO支持,这可以提高对文件的读写性能。
#--with-openssl="/usr/local/gmssl": 指定使用的OpenSSL库的路径。在这个例子中,Nginx将使用位于`/usr/local/gmssl`目录下的OpenSSL库。
#--with-cc-opt="-I/usr/local/gmssl/include": 指定C编译器的选项。`-I`标志用于添加头文件搜索路径,这里是`/usr/local/gmssl/include`,以确保编译过程中可以找到所需的头文件。
#--with-ld-opt="-lm": 指定链接器的选项。`-lm`表示将链接数学库(libm)到Nginx可执行文件中。
#--with-openssl-opt=enable-ec_nistp_64_gcc_128`: 指定OpenSSL库的选项。这个选项将启用EC(椭圆曲线)加密算法的优化,使其支持使用64位运算和128位存储器模型进行更高效的处理。- 编译nginx
[root@VM-16-11-centos nginx-1.25.2]# make
……………………忽略输出,出现以下输出即为正常安装……………………
-lm -ldl -lpthread -lcrypt -lpcre /usr/local/gmssl/lib/libssl.a /usr/local/gmssl/lib/libcrypto.a -ldl -lpthread \
-Wl,-E
sed -e "s|%%PREFIX%%|/usr/local/nginx|" \
-e "s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|" \
-e "s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|" \
-e "s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|" \
< man/nginx.8 > objs/nginx.8
make[1]: Leaving directory `/root/nginx-1.25.2'- 安装nginx
[root@VM-16-11-centos nginx-1.25.2]# make install
make -f objs/Makefile install
make[1]: Entering directory `/root/nginx-1.25.2'
test -d '/usr/local/nginx' || mkdir -p '/usr/local/nginx'
test -d '/usr/local/nginx/sbin' \
|| mkdir -p '/usr/local/nginx/sbin'
test ! -f '/usr/local/nginx/sbin/nginx' \
|| mv '/usr/local/nginx/sbin/nginx' \
'/usr/local/nginx/sbin/nginx.old'
cp objs/nginx '/usr/local/nginx/sbin/nginx'
test -d '/usr/local/nginx/conf' \
|| mkdir -p '/usr/local/nginx/conf'
cp conf/koi-win '/usr/local/nginx/conf'
cp conf/koi-utf '/usr/local/nginx/conf'
cp conf/win-utf '/usr/local/nginx/conf'
test -f '/usr/local/nginx/conf/mime.types' \
|| cp conf/mime.types '/usr/local/nginx/conf'
cp conf/mime.types '/usr/local/nginx/conf/mime.types.default'
test -f '/usr/local/nginx/conf/fastcgi_params' \
|| cp conf/fastcgi_params '/usr/local/nginx/conf'
cp conf/fastcgi_params \
'/usr/local/nginx/conf/fastcgi_params.default'
test -f '/usr/local/nginx/conf/fastcgi.conf' \
|| cp conf/fastcgi.conf '/usr/local/nginx/conf'
cp conf/fastcgi.conf '/usr/local/nginx/conf/fastcgi.conf.default'
test -f '/usr/local/nginx/conf/uwsgi_params' \
|| cp conf/uwsgi_params '/usr/local/nginx/conf'
cp conf/uwsgi_params \
'/usr/local/nginx/conf/uwsgi_params.default'
test -f '/usr/local/nginx/conf/scgi_params' \
|| cp conf/scgi_params '/usr/local/nginx/conf'
cp conf/scgi_params \
'/usr/local/nginx/conf/scgi_params.default'
test -f '/usr/local/nginx/conf/nginx.conf' \
|| cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf'
cp conf/nginx.conf '/usr/local/nginx/conf/nginx.conf.default'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
test -d '/usr/local/nginx/html' \
|| cp -R html '/usr/local/nginx'
test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'
make[1]: Leaving directory `/root/nginx-1.25.2'
[root@VM-16-11-centos nginx-1.25.2]# - 修改nginx配置文件并启动nginx
[root@VM-16-11-centos nginx-1.25.2]# vim /usr/local/nginx/conf/nginx.conf
user root;
worker_processes auto;
error_log logs/error.log;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
server {
listen 443 ssl;
server_name 101.201.223.213;
ssl_certificate /root/ssl/test.pem;
ssl_certificate_key /root/ssl/test.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SM4:EDH+SM4:AESGCM+AES128:AESGCM+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
[root@VM-16-11-centos nginx-1.25.2]# /usr/local/nginx/sbin/nginx -t
License for TEST. SN=E89E76293C73B0AF
OpenSSL(GM version Build230318) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version Build230318) by www.gmssl.cn. Test Only!!!
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@VM-16-11-centos nginx-1.25.2]# /usr/local/nginx/sbin/nginx
License for TEST. SN=E89E76293C73B0AF
OpenSSL(GM version Build230318) by www.gmssl.cn. Test Only!!!
OpenSSL(GM version Build230318) by www.gmssl.cn. Test Only!!!
[root@VM-16-11-centos nginx-1.25.2]# 国密证书一般都有密码,可以使用命令"openssl ec -in 有密码的key -out 无密码的key"取消掉密码或在nginx的"ssl_certificate_key"下添加一行"ssl_password_file"指定密码的存放文件并把密码放入该文件中
查看是否配置成功
-
访问国密支持检测网站进行检测,如果配置国密成功则会输出如下(注意打开服务区防火墙):
-
完整应如下(由于本次是自签证书,所以会有很多报错)
扫描二维码,在手机上阅读
