使用Docker编译OpenResty支持国密ssl加密
编译环境
执行编译操作环境如下
#操作系统
CentOS Linux release 7.4.1708 (Core)
#docker版本
Version: 19.03.5
编译过程
Dockerfile
FROM centos:7
WORKDIR /usr/local/gm-openresty
# 安装所需依赖包
RUN yum -y install perl make gcc gcc-c++ libstdc++-devel pcre-devel zlib-devel net-tools pcre wget && \
yum clean all && \
wget https://www.gmssl.cn/gmssl/Tool_Down?File=gmssl_openssl_1.1_b4.tar.gz && tar xzfm Tool_Down?File=gmssl_openssl_1.1_b4.tar.gz -C /usr/local && \
wget https://openresty.org/download/openresty-1.19.3.1.tar.gz && tar xzfm openresty-1.19.3.1.tar.gz && \
ln -s /usr/lib64/libpcre.so.1 /usr/lib64/libpcre.so.3
RUN sed -i 's#$OPENSSL/.openssl/#$OPENSSL/#p' /usr/local/gm-openresty/openresty-1.19.3.1/bundle/nginx-1.19.3/auto/lib/openssl/conf && \
cd openresty-1.19.3.1/ && \
./configure \
--without-http_gzip_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-file-aio \
--with-openssl="/usr/local/gmssl" \
--with-cc-opt="-I/usr/local/gmssl/include" \
--with-ld-opt="-lm" && \
make install && \
rm -rf /usr/local/gm-openresty/* && \
ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log && \
ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log
# Add additional binaries into PATH for convenience
ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin
EXPOSE 80 443
CMD ["/usr/bin/openresty", "-g", "daemon off;"]
# Use SIGQUIT instead of default SIGTERM to cleanly drain requests
# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls
STOPSIGNAL SIGQUIT
- 构建镜像
docker build -t openresty-gm:v1 .
- 启动
docker run -it -p 80:80 -p 443:443 -v /root/openresty/cert:/usr/local/cert -v /root/openresty/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf openresty-gm:v1 bash
nginx.conf内容
worker_processes 2;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server
{
listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
ssl_verify_client off;
ssl_certificate /usr/local/cert/test.cn_RSA.crt;
ssl_certificate_key /usr/local/cert/test.cn_RSA.key;
ssl_certificate /usr/local/cert/test.cn_sm2_sign.crt;
ssl_certificate_key /usr/local/cert/test.cn_SM2.key;
ssl_certificate /usr/local/cert/test.cn_sm2_encrypt.crt;
ssl_certificate_key /usr/local/cert/test.gov.cn_SM2.key;
location /
{
root html;
index index.html index.htm;
}
}
}
- 客户端使用360安全浏览器访问
参考文章