本文 首发于 Anyeの小站,转载请取得作者同意。
前言
国密算法是国家商用密码算法的简称。自2012年以来,国家密码管理局以《中华人民共和国密码行业标准》的方式,陆续公布了SM2/SM3/SM4等密码算法标准及其应用规范。其中“SM”代表“商密”,即用于商用的、不涉及国家秘密的密码技术。其中SM2为基于椭圆曲线密码的公钥密码算法标准,包含数字签名、密钥交换和公钥加密,用于替换RSA/Diffie-Hellman/ECDSA/ECDH等国际算法;SM3为密码哈希算法,用于替代MD5/SHA-1/SHA-256等国际算法;SM4为分组密码,用于替代DES/AES等国际算法;SM9为基于身份的密码算法,可以替代基于数字证书的PKI/CA体系。通过部署国密算法,可以降低由弱密码和错误实现带来的安全风险和部署PKI/CA带来的开销。
——The GmSSL Project
本着学习的态度,本文将尝试为 1Panel 所使用的 Web 平台:OpenResty 来适配 GMSSL。
Demo
Anye导航站
该站点已部署国密证书,实现国密/RSA单向自适应,国密证书于2024-5-15日到期,仅供参考。
准备工作
- 安装好 1Panel 的服务器一台
- 优良的网络环境
- 相关基础知识
误区说明
https://www.gmssl.cn/ 与 http://gmssl.org/ 并非同一项目,本文中所使用的为前者。
警告!!!
本教程中所使用的 openssl国密版 来自 GMSSL - 国密SSL实验室 ,免费版本每年年底失效,程序会自动退出,需更新库,重新链接。请勿用于正式/生产环境,后果自负。
正片开始
Docker 兼容
为了使自编译的 OpenResty 能够与 1Panel 的相关组件完美配合,首先得找到 1Panel所使用的 OpenResty Dockerfile,可以找到:https://github.com/openresty/docker-openresty ,找到当前版本:1.21.4.3-0-focal
# Dockerfile - Ubuntu Focal
# https://github.com/openresty/docker-openrestyARG RESTY_IMAGE_BASE="ubuntu"
ARG RESTY_IMAGE_TAG="focal"FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG}LABEL maintainer="Evan Wies <evan@neomantra.net>"# Docker Build Arguments
ARG RESTY_IMAGE_BASE="ubuntu"
ARG RESTY_IMAGE_TAG="focal"
ARG RESTY_VERSION="1.21.4.3"
ARG RESTY_LUAROCKS_VERSION="3.9.2"
ARG RESTY_OPENSSL_VERSION="1.1.1w"
ARG RESTY_OPENSSL_PATCH_VERSION="1.1.1f"
ARG RESTY_OPENSSL_URL_BASE="https://www.openssl.org/source"
ARG RESTY_PCRE_VERSION="8.45"
ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit"
ARG RESTY_PCRE_SHA256="4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09"
ARG RESTY_J="1"
ARG RESTY_CONFIG_OPTIONS="\--with-compat \--with-file-aio \--with-http_addition_module \--with-http_auth_request_module \--with-http_dav_module \--with-http_flv_module \--with-http_geoip_module=dynamic \--with-http_gunzip_module \--with-http_gzip_static_module \--with-http_image_filter_module=dynamic \--with-http_mp4_module \--with-http_random_index_module \--with-http_realip_module \--with-http_secure_link_module \--with-http_slice_module \--with-http_ssl_module \--with-http_stub_status_module \--with-http_sub_module \--with-http_v2_module \--with-http_xslt_module=dynamic \--with-ipv6 \--with-mail \--with-mail_ssl_module \--with-md5-asm \--with-sha1-asm \--with-stream \--with-stream_ssl_module \--with-threads \"
ARG RESTY_CONFIG_OPTIONS_MORE=""
ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'"
ARG RESTY_PCRE_OPTIONS="--with-pcre-jit"ARG RESTY_ADD_PACKAGE_BUILDDEPS=""
ARG RESTY_ADD_PACKAGE_RUNDEPS=""
ARG RESTY_EVAL_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_MAKE=""# These are not intended to be user-specified
ARG _RESTY_CONFIG_DEPS="--with-pcre \--with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \--with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \"LABEL resty_image_base="${RESTY_IMAGE_BASE}"
LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
LABEL resty_version="${RESTY_VERSION}"
LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
LABEL resty_pcre_version="${RESTY_PCRE_VERSION}"
LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}"
LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}"
LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}"
LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}"
LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}"
LABEL resty_add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}"
LABEL resty_add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}"
LABEL resty_eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}"
LABEL resty_eval_post_download_pre_configure="${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}"
LABEL resty_eval_post_make="${RESTY_EVAL_POST_MAKE}"
LABEL resty_luajit_options="${RESTY_LUAJIT_OPTIONS}"
LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}"RUN DEBIAN_FRONTEND=noninteractive apt-get update \&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \build-essential \ca-certificates \curl \gettext-base \libgd-dev \libgeoip-dev \libncurses5-dev \libperl-dev \libreadline-dev \libxslt1-dev \make \perl \unzip \wget \zlib1g-dev \${RESTY_ADD_PACKAGE_BUILDDEPS} \${RESTY_ADD_PACKAGE_RUNDEPS} \&& cd /tmp \&& if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \&& curl -fSL "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \&& tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \&& cd openssl-${RESTY_OPENSSL_VERSION} \&& if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \echo 'patching OpenSSL 1.1.1 for OpenResty' \&& curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \fi \&& if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \echo 'patching OpenSSL 1.1.0 for OpenResty' \&& curl -s https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \&& curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \fi \&& ./config \no-threads shared zlib -g \enable-ssl3 enable-ssl3-method \--prefix=/usr/local/openresty/openssl \--libdir=lib \-Wl,-rpath,/usr/local/openresty/openssl/lib \&& make -j${RESTY_J} \&& make -j${RESTY_J} install_sw \&& cd /tmp \&& curl -fSL https://downloads.sourceforge.net/project/pcre/pcre/${RESTY_PCRE_VERSION}/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz \&& echo "${RESTY_PCRE_SHA256} pcre-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \&& tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz \&& cd /tmp/pcre-${RESTY_PCRE_VERSION} \&& ./configure \--prefix=/usr/local/openresty/pcre \--disable-cpp \--enable-utf \--enable-unicode-properties \${RESTY_PCRE_BUILD_OPTIONS} \&& make -j${RESTY_J} \&& make -j${RESTY_J} install \&& cd /tmp \&& curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \&& tar xzf openresty-${RESTY_VERSION}.tar.gz \&& cd /tmp/openresty-${RESTY_VERSION} \&& if [ -n "${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}); fi \&& eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \&& make -j${RESTY_J} \&& make -j${RESTY_J} install \&& cd /tmp \&& rm -rf \openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \pcre-${RESTY_PCRE_VERSION}.tar.gz pcre-${RESTY_PCRE_VERSION} \openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \&& curl -fSL https://luarocks.github.io/luarocks/releases/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz -o luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& tar xzf luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& cd luarocks-${RESTY_LUAROCKS_VERSION} \&& ./configure \--prefix=/usr/local/openresty/luajit \--with-lua=/usr/local/openresty/luajit \--lua-suffix=jit-2.1.0-beta3 \--with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 \&& make build \&& make install \&& cd /tmp \&& if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \&& rm -rf luarocks-${RESTY_LUAROCKS_VERSION} luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& if [ -n "${RESTY_ADD_PACKAGE_BUILDDEPS}" ]; then DEBIAN_FRONTEND=noninteractive apt-get remove -y --purge ${RESTY_ADD_PACKAGE_BUILDDEPS} ; fi \&& DEBIAN_FRONTEND=noninteractive apt-get autoremove -y \&& mkdir -p /var/run/openresty \&& ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \&& ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log# Add additional binaries into PATH for convenience
ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin# Add LuaRocks paths
# If OpenResty changes, these may need updating:
# /usr/local/openresty/bin/resty -e 'print(package.path)'
# /usr/local/openresty/bin/resty -e 'print(package.cpath)'
ENV LUA_PATH="/usr/local/openresty/site/lualib/?.ljbc;/usr/local/openresty/site/lualib/?/init.ljbc;/usr/local/openresty/lualib/?.ljbc;/usr/local/openresty/lualib/?/init.ljbc;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/?/init.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/lualib/?/init.lua;./?.lua;/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/openresty/luajit/share/lua/5.1/?.lua;/usr/local/openresty/luajit/share/lua/5.1/?/init.lua"ENV LUA_CPATH="/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so"# Copy nginx configuration files
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.confCMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"]# Use SIGQUIT instead of default SIGTERM to cleanly drain requests
# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls
STOPSIGNAL SIGQUIT
分析后可知,我们只需替换其中的 Openssl 模块即可。
GMSSL 简述
GMSSL - 国密SSL实验室 官网为 Nginx 作出了国密支持,OpenResty 作为 Nginx 的衍生项目,理论上同样支持使用 GMSSL 提供的 openssl 国密版。所以采用同样的方式进行替换。
cd /tmp \&& curl -fSL "${RESTY_OPENSSL_URL_BASE}/gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz" -o gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz \&& tar xzfm gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz -C /usr/local \&& ln -s /usr/local/gmssl /usr/local/openssl \
在编译配置中添加:
ARG RESTY_CONFIG_OPTIONS="\--with-openssl=/usr/local/gmssl \
将 Nginx 目录中的 auto/lib/openssl/conf,全部 $OPENSSL/.openssl/ 修改为 $OPENSSL/ 并保存。
sed -i 's/\$OPENSSL\/\.openssl\//\$OPENSSL\//g' ./bundle/nginx-1.21.4/auto/lib/openssl/conf \
修改后的完整 Dockerfile 如下
# Dockerfile - Ubuntu Focal
# https://github.com/openresty/docker-openrestyARG RESTY_IMAGE_BASE="ubuntu"
ARG RESTY_IMAGE_TAG="focal"FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG}LABEL maintainer="Anyexyz <anyexyz@foxmail.com>"# 构建参数
ARG RESTY_IMAGE_BASE="ubuntu"
ARG RESTY_IMAGE_TAG="focal"
ARG RESTY_VERSION="1.21.4.3"
ARG RESTY_LUAROCKS_VERSION="3.9.2"
ARG RESTY_OPENSSL_VERSION="1.1_b2024_x64_1"
ARG RESTY_OPENSSL_URL_BASE="https://www.gmssl.cn/gmssl/down/"
ARG RESTY_PCRE_VERSION="8.45"
ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit"
ARG RESTY_PCRE_SHA256="4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09"
ARG RESTY_J="2"
ARG RESTY_CONFIG_OPTIONS="\--with-openssl=/usr/local/gmssl \--with-compat \--with-file-aio \--with-http_addition_module \--with-http_auth_request_module \--with-http_dav_module \--with-http_flv_module \--with-http_geoip_module=dynamic \--with-http_gunzip_module \--with-http_gzip_static_module \--with-http_image_filter_module=dynamic \--with-http_mp4_module \--with-http_random_index_module \--with-http_realip_module \--with-http_secure_link_module \--with-http_slice_module \--with-http_ssl_module \--with-http_stub_status_module \--with-http_sub_module \--with-http_v2_module \--with-http_xslt_module=dynamic \--with-ipv6 \--with-mail \--with-mail_ssl_module \--with-md5-asm \--with-sha1-asm \--with-stream \--with-stream_ssl_module \--with-threads \"
ARG RESTY_CONFIG_OPTIONS_MORE=""
ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'"
ARG RESTY_PCRE_OPTIONS="--with-pcre-jit"ARG RESTY_ADD_PACKAGE_BUILDDEPS=""
ARG RESTY_ADD_PACKAGE_RUNDEPS=""
ARG RESTY_EVAL_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE=""
ARG RESTY_EVAL_POST_MAKE=""# 以下不需要修改
ARG _RESTY_CONFIG_DEPS="--with-pcre \--with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \--with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \"LABEL resty_image_base="${RESTY_IMAGE_BASE}"
LABEL resty_image_tag="${RESTY_IMAGE_TAG}"
LABEL resty_version="${RESTY_VERSION}"
LABEL resty_luarocks_version="${RESTY_LUAROCKS_VERSION}"
LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}"
LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}"
LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}"
LABEL resty_pcre_version="${RESTY_PCRE_VERSION}"
LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}"
LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}"
LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}"
LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}"
LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}"
LABEL resty_add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}"
LABEL resty_add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}"
LABEL resty_eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}"
LABEL resty_eval_post_download_pre_configure="${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}"
LABEL resty_eval_post_make="${RESTY_EVAL_POST_MAKE}"
LABEL resty_luajit_options="${RESTY_LUAJIT_OPTIONS}"
LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}"RUN DEBIAN_FRONTEND=noninteractive apt-get update \&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \build-essential \ca-certificates \curl \gettext-base \libgd-dev \libgeoip-dev \libncurses5-dev \libperl-dev \libreadline-dev \libxslt1-dev \make \perl \unzip \wget \zlib1g-dev \${RESTY_ADD_PACKAGE_BUILDDEPS} \${RESTY_ADD_PACKAGE_RUNDEPS} \&& cd /tmp \&& curl -fSL "${RESTY_OPENSSL_URL_BASE}/gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz" -o gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz \&& tar xzfm gmssl_openssl_${RESTY_OPENSSL_VERSION}.tar.gz -C /usr/local \&& ln -s /usr/local/gmssl /usr/local/openssl \&& cd /tmp \&& curl -fSL https://downloads.sourceforge.net/project/pcre/pcre/${RESTY_PCRE_VERSION}/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz \&& echo "${RESTY_PCRE_SHA256} pcre-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \&& tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz \&& cd /tmp/pcre-${RESTY_PCRE_VERSION} \&& ./configure \--prefix=/usr/local/openresty/pcre \--disable-cpp \--enable-utf \--enable-unicode-properties \${RESTY_PCRE_BUILD_OPTIONS} \&& make -j${RESTY_J} \&& make -j${RESTY_J} install \&& cd /tmp \&& curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \&& tar xzf openresty-${RESTY_VERSION}.tar.gz \&& cd /tmp/openresty-${RESTY_VERSION} \&& sed -i 's/\$OPENSSL\/\.openssl\//\$OPENSSL\//g' ./bundle/nginx-1.21.4/auto/lib/openssl/conf \&& if [ -n "${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_POST_DOWNLOAD_PRE_CONFIGURE}); fi \&& eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \&& make -j${RESTY_J} \&& make -j${RESTY_J} install \&& cd /tmp \&& rm -rf \openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \pcre-${RESTY_PCRE_VERSION}.tar.gz pcre-${RESTY_PCRE_VERSION} \openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \&& curl -fSL https://luarocks.github.io/luarocks/releases/luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz -o luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& tar xzf luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& cd luarocks-${RESTY_LUAROCKS_VERSION} \&& ./configure \--prefix=/usr/local/openresty/luajit \--with-lua=/usr/local/openresty/luajit \--lua-suffix=jit-2.1.0-beta3 \--with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 \&& make build \&& make install \&& cd /tmp \&& if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \&& rm -rf luarocks-${RESTY_LUAROCKS_VERSION} luarocks-${RESTY_LUAROCKS_VERSION}.tar.gz \&& if [ -n "${RESTY_ADD_PACKAGE_BUILDDEPS}" ]; then DEBIAN_FRONTEND=noninteractive apt-get remove -y --purge ${RESTY_ADD_PACKAGE_BUILDDEPS} ; fi \&& DEBIAN_FRONTEND=noninteractive apt-get autoremove -y \&& mkdir -p /var/run/openresty \&& ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \&& ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log# Add additional binaries into PATH for convenience
ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin# Add LuaRocks paths
# If OpenResty changes, these may need updating:
# /usr/local/openresty/bin/resty -e 'print(package.path)'
# /usr/local/openresty/bin/resty -e 'print(package.cpath)'
ENV LUA_PATH="/usr/local/openresty/site/lualib/?.ljbc;/usr/local/openresty/site/lualib/?/init.ljbc;/usr/local/openresty/lualib/?.ljbc;/usr/local/openresty/lualib/?/init.ljbc;/usr/local/openresty/site/lualib/?.lua;/usr/local/openresty/site/lualib/?/init.lua;/usr/local/openresty/lualib/?.lua;/usr/local/openresty/lualib/?/init.lua;./?.lua;/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/share/lua/5.1/?/init.lua;/usr/local/openresty/luajit/share/lua/5.1/?.lua;/usr/local/openresty/luajit/share/lua/5.1/?/init.lua"ENV LUA_CPATH="/usr/local/openresty/site/lualib/?.so;/usr/local/openresty/lualib/?.so;./?.so;/usr/local/lib/lua/5.1/?.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so;/usr/local/lib/lua/5.1/loadall.so;/usr/local/openresty/luajit/lib/lua/5.1/?.so"# Copy nginx configuration files
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY nginx.vh.default.conf /etc/nginx/conf.d/default.confCMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"]# Use SIGQUIT instead of default SIGTERM to cleanly drain requests
# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls
STOPSIGNAL SIGQUIT
修改源码:https://github.com/Anyexyz/gm-docker-openresty
编译成品:https://hub.docker.com/r/anyexyz/gm-docker-openrest
1Panel 应用重建
在 1Panel 中,打开 应用商店 ,找到已安装的 OpenResty,点击 参数 ,编辑 ,高级设置 ,将 image 更改为自己构建/拉取的镜像,例:
image: anyexyz/gm-docker-openresty:1.21.4.3-0-focal
确认,重建应用。
申请证书
我这里选用的 CerSign 证签 的免费 SSL 证书,点击在其官网申请90天证书:
https://www.cersign.com/free-ssl-certificate.html
根据提示进行操作,我们会得到一个证书压缩包和自己生成的密钥,保存备用。
部署证书
- 在 1Panel 网站中找到需要部署国密证书的网站,将证书和密钥上传到
网站目录中,点击配置-HTTPS,这里的 证书配置 只能选择非国密证书,在下方的SSL 协议设置中把TLS 1.3、1.2、1.2;SSL V3、V2打勾,将加密算法后面添加
:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECC-SM4-GCM-SM3:ECC-SM4-GCM-SM2
点击保存。
- 在
配置文件中,找到ssl_certificate、ssl_certificate_key所在的位置,复制后面原有的路径,这个是在 1Panel 中配置的非国密证书的路径,类别添加国密证书配置:
ssl_certificate /www/sites/<网站域名>/ssl/sm2_encrypt.crt;
ssl_certificate_key /www/sites/<网站域名>/ssl/sm2_encrypt.key;ssl_certificate /www/sites/<网站域名>/ssl/sm2_sign.crt;
ssl_certificate_key /www/sites/<网站域名>/ssl/sm2_sign.key;ssl_certificate /www/sites/<网站域名>/ssl/fullchain.pem;
ssl_certificate_key /www/sites/<网站域名>/ssl/privkey.pem;
保存并重载。
测试
使用 零信国密浏览器 访问:
如图,即为激活国密。
再次提醒
本教程中所使用的 openssl国密版 来自 GMSSL - 国密SSL实验室 ,免费版本每年年底失效,程序会自动退出,需更新库,重新链接。
请勿用于正式/生产环境!!!
请勿用于正式/生产环境!!!
请勿用于正式/生产环境!!!
如需用于生产用途,请从正常渠道购买国密证书并寻求相关单位的帮助。
![[AIGC] 利用 chatgpt 深入理解 Java 虚拟机(JVM)](https://img-blog.csdnimg.cn/direct/f65bcce204f74a059d2506c6f765429f.png)
