跳转至

了解 FIT2CLOUD 飞致云旗下开源产品

国密改造⚓︎

应相关单位要求,本文以沃通证书为例

配置 JumpServer

vi /opt/jumpserver/config/config.txt
...

# 使用国密算法
SECURITY_DATA_CRYPTO_ALGO=gm
./jmsctl.sh restart

配置 Nginx

docker pull wojiushixiaobai/wotrus_nginx:v1.20.2
docker tag wojiushixiaobai/wotrus_nginx:v1.20.2 jumpserver/wotrus_nginx:v1.20.2
docker rmi wojiushixiaobai/wotrus_nginx:v1.20.2
# 解压 ssl 证书
ll /opt/sslkey

总用量 24
-rw-r--r--. 1 root root 6281 12月  2 19:34 test.domain.localhost_bundle.crt
-rw-r--r--. 1 root root 1675 12月  2 19:34 test.domain.localhost_RSA.key
-rw-r--r--. 1 root root 3048 12月  2 19:11 test.domain.localhost_sm2_encrypt_bundle.crt
-rw-r--r--. 1 root root  227 12月  2 19:11 test.domain.localhost_SM2.key
-rw-r--r--. 1 root root 3048 12月  2 19:11 test.domain.localhost_sm2_sign_bundle.crt
# 配置 nginx
vi /opt/default.conf
server {
    listen 80;
    server_name test.domain.localhost;  # 自行修改成你的域名
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name test.domain.localhost;  # 自行修改成你的域名

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECC-SM4-SM3:ECDH:AESGCM:HIGH:MEDIUM:!RC4:!DH:!MD5:!aNULL:!eNULL;  # 算法
    ssl_verify_client off;
    ssl_session_timeout 5m;
    ssl_prefer_server_ciphers on;

    # ssl_certificate sslkey/test.domain.localhost_bundle.crt;             # rsa 证书,过渡使用
    # ssl_certificate_key sslkey/test.domain.localhost_RSA.key;

    ssl_certificate sslkey/test.domain.localhost_sm2_sign_bundle.crt;      # 配置国密签名证书/私钥
    ssl_certificate_key sslkey/test.domain.localhost_SM2.key;

    ssl_certificate sslkey/test.domain.localhost_sm2_encrypt_bundle.crt;   # 配置国密加密证书/私钥
    ssl_certificate_key sslkey/test.domain.localhost_SM2.key;

    client_max_body_size 5000m;  # 上传文件大小限制

    location / {
        proxy_pass http://192.168.100.100;  # 后端 jumpserver 访问地址
        proxy_buffering off;
        proxy_request_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_ignore_client_abort on;
        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 6000;
    }
}
# 启动容器
docker run --name nginx -d --restart=always \
  -p 80:80 -p 443:443 \
  -v /opt/sslkey:/etc/nginx/sslkey \
  -v /opt/default.conf:/etc/nginx/conf.d/default.conf \
  jumpserver/wotrus_nginx:v1.20.2

Back to top