OpenResty編譯映象支援國密ssl加密
阿新 • • 發佈:2021-07-02
執行編譯操作環境如下
CentOS Linux release 7.9.2009 (Core)
執行編譯操作的目錄為/root/openresty
- 編譯gmssl
gmssl下載地址:https://github.com/guanzhi/GmSSL/
./config
make
make install
- 編譯安裝openresty
openresty下載地址:https://openresty.org/download/openresty-1.19.3.1.tar.gz
yum -y install pcre-devel yum install -y zlib-devel ./configure make j4 make install
編譯完成後的包地址在 /usr/local/openresty
,將其移動到Dockerfile所在目錄/openresty
下,便於COPY。
Dockerfile
FROM centos:7 # nginx需要pcre依賴所以安裝pcre RUN yum install -y net-tools pcre pcre-devel # 有可能執行時,找不到libpcre.so.3做個軟連線即可 RUN ln -s /usr/lib64/libpcre.so.1 /usr/lib64/libpcre.so.3 # 把剛剛編譯好的openresty和gmssl拷貝到容器中 COPY ./openresty /usr/local/openresty # 把libcrypto.so、libcrypto.so.1.1、libssl.so、libssl.so.1.1 拷貝進去(因為我是已經把這幾個檔案放到了/usr/local/openresty/nginx/sbin下了,所以我這兒直接拷貝),原路徑為 /usr/local/GmSSL-master/下 COPY ./GmSSL-master/ /usr/lib64/ # 拷貝gmssl COPY ./GmSSL-master/ /usr/local/GmSSL-master/ # Add additional binaries into PATH for convenience ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin CMD ["openresty", "-s", "reload;"] # Use SIGQUIT instead of default SIGTERM to cleanly drain requests # See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls STOPSIGNAL SIGQUIT
- 構建映象
docker build -t openresty-gm:v1 .
- 啟動
docker run -it -p 80:80 -p 443:443 -v /root/openresty/cert:/usr/local/cert -v /root/openresty/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf openresty-gm:v1 bash
nginx.conf內容
worker_processes 2; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 0.0.0.0:80; listen 0.0.0.0:443 ssl; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3; ssl_verify_client off; ssl_certificate /usr/local/cert/test.cn_RSA.crt; ssl_certificate_key /usr/local/cert/test.cn_RSA.key; ssl_certificate /usr/local/cert/test.cn_sm2_sign.crt; ssl_certificate_key /usr/local/cert/test.cn_SM2.key; ssl_certificate /usr/local/cert/test.cn_sm2_encrypt.crt; ssl_certificate_key /usr/local/cert/test.gov.cn_SM2.key; location / { root html; index index.html index.htm; } } }
- 客戶端訪問
參考文章