国密改造

“应相关单位要求,本文以沃通证书为例”

1 操作过程

1.1 配置 JumpServer

  1. vi /opt/jumpserver/config/config.txt
  1. ```nginx hl_lines="4"
  2. ...
  3. # 使用国密算法
  4. SECURITY_DATA_CRYPTO_ALGO=gm
  5. ```
  6. ```sh
  7. # 重启 JumpServer 服务
  8. ./jmsctl.sh restart
  9. ```

1.2 配置 Nginx

  1. # Nginx 镜像下载
  2. docker pull wojiushixiaobai/wotrus_nginx:v1.20.2
  3. docker tag wojiushixiaobai/wotrus_nginx:v1.20.2 jumpserver/wotrus_nginx:v1.20.2
  4. docker rmi wojiushixiaobai/wotrus_nginx:v1.20.2
  1. # 解压 ssl 证书
  2. ll /opt/sslkey
  3. 总用量 24
  4. -rw-r--r--. 1 root root 6281 12 2 19:34 test.domain.localhost_bundle.crt
  5. -rw-r--r--. 1 root root 1675 12 2 19:34 test.domain.localhost_RSA.key
  6. -rw-r--r--. 1 root root 3048 12 2 19:11 test.domain.localhost_sm2_encrypt_bundle.crt
  7. -rw-r--r--. 1 root root 227 12 2 19:11 test.domain.localhost_SM2.key
  8. -rw-r--r--. 1 root root 3048 12 2 19:11 test.domain.localhost_sm2_sign_bundle.crt
  1. # Nginx 配置文件编辑
  2. vi /opt/default.conf

Nginx

  1. server {
  2. listen 80;
  3. server_name test.domain.localhost; # 自行修改成你的域名
  4. return 301 https://$server_name$request_uri;
  5. }
  6. server {
  7. listen 443 ssl;
  8. server_name test.domain.localhost; # 自行修改成你的域名
  9. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  10. ssl_ciphers ECC-SM4-SM3:ECDH:AESGCM:HIGH:MEDIUM:!RC4:!DH:!MD5:!aNULL:!eNULL; # 算法
  11. ssl_verify_client off;
  12. ssl_session_timeout 5m;
  13. ssl_prefer_server_ciphers on;
  14. # ssl_certificate sslkey/test.domain.localhost_bundle.crt; # rsa 证书,过渡使用
  15. # ssl_certificate_key sslkey/test.domain.localhost_RSA.key;
  16. ssl_certificate sslkey/test.domain.localhost_sm2_sign_bundle.crt; # 配置国密签名证书/私钥
  17. ssl_certificate_key sslkey/test.domain.localhost_SM2.key;
  18. ssl_certificate sslkey/test.domain.localhost_sm2_encrypt_bundle.crt; # 配置国密加密证书/私钥
  19. ssl_certificate_key sslkey/test.domain.localhost_SM2.key;
  20. client_max_body_size 5000m; # 上传文件大小限制
  21. location / {
  22. proxy_pass http://192.168.100.100; # 后端 jumpserver 访问地址
  23. proxy_buffering off;
  24. proxy_request_buffering off;
  25. proxy_http_version 1.1;
  26. proxy_set_header Host $host;
  27. proxy_set_header Upgrade $http_upgrade;
  28. proxy_set_header Connection $http_connection;
  29. proxy_set_header X-Forwarded-For $remote_addr;
  30. proxy_ignore_client_abort on;
  31. proxy_connect_timeout 600;
  32. proxy_send_timeout 600;
  33. proxy_read_timeout 600;
  34. send_timeout 6000;
  35. }
  36. }

1.3 启动容器

  1. docker run --name nginx -d --restart=always \
  2. -p 80:80 -p 443:443 \
  3. -v /opt/sslkey:/etc/nginx/sslkey \
  4. -v /opt/default.conf:/etc/nginx/conf.d/default.conf \
  5. jumpserver/wotrus_nginx:v1.20.2