JumpServer国密支持配置

1. 环境说明

HTTPS 国密证书配置在JumpServer前端的Nginx服务器，用户通过本地的国密支持的浏览器访问到Nginx服务器，此链路为国密HTTPS加密链路，Nginx服务器进行HTTPS解密，并将访问请求转发到后端的JumpServer服务器。

GMSSL提供一个国密版OpenSSL，支持Nginx，支持单向/双向认证，支持标准SSL/国密SSL自适应。
国密OpenSSL库基于OpenSSL实现，OpenSSL的许可协议是Apache License V2.0。

2.下载组件

Nginx： Nginx官网下载稳定版 https://nginx.org/download/nginx-1.20.2.tar.gz

Open SSL： GMSSL国密实验室 https://www.gmssl.cn/gmssl/Tool_Down?File=gmssl_openssl_1.1_b4.tar.gz

加密证书： 访问GMSSL - 国密SSL实验室申请，填写相关信息后，点击“提交”，便自动下载所有证书。

3.Nginx编译安装

1. 下载gmssl_openssl_1.1_b4.tar.gz到/root/下
2. 解压 tar -zxvf gmssl_openssl_1.1_b4.tar.gz -C /usr/local
3. 下载nginx-1.20.2.tar.gz到/root/下
4. 解压tar -zxvf nginx-1.20.2.tar.gz
5. 进入目录 cd /root/nginx-1.20.0
6. 编辑auto/lib/openssl/conf，将全部$OPENSSL/.openssl/修改为$OPENSSL/并保存
7. 编译配置

./configure \
--without-http_gzip_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-file-aio \
--with-openssl="/usr/local/gmssl" \
--with-cc-opt="-I/usr/local/gmssl/include" \
--with-ld-opt="-lm"

8. 编译安装
   make && make install
9. /usr/local/nginx即为生成的nginx目录
   注：可能需要使用yum install pcre-devel gcc-c++ gcc需要安装pcre-devel、gcc

4.配置示例

国密单向

server
{
  listen 0.0.0.0:443 ssl;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
  ssl_verify_client off;

  ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;

  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;
  ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;

  location /
  {
      proxy_pass http://192.168.186.130; #192.168.186.130为jumpserver地址
      proxy_http_version 1.1;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $remote_addr;
  }
}

国密双向

server
{
  listen 0.0.0.0:443 ssl;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
  ssl_client_certificate /usr/local/nginx/conf/demo1.sm2.trust;
  ssl_verify_client on;

  ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;

  ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;

  location /
  {
      proxy_pass http://192.168.186.130;  #192.168.186.130为jumpserver地址
      proxy_http_version 1.1;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $remote_addr;
  }
}

国密/RSA单向自适应

server
{
  listen 0.0.0.0:443 ssl;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:DES-CBC3-SHA:ECC-SM4-CBC-SM3:ECDHE-SM4-GCM-SM3;
  ssl_verify_client off;

  ssl_certificate /usr/local/nginx/conf/demo1.rsa.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.rsa.key.pem;

  ssl_certificate /usr/local/nginx/conf/demo1.sm2.sig.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.sig.key.pem;

  ssl_certificate /usr/local/nginx/conf/demo1.sm2.enc.crt.pem;
  ssl_certificate_key /usr/local/nginx/conf/demo1.sm2.enc.key.pem;

  location /
  {
      proxy_pass http://192.168.186.130;  #192.168.186.130为jumpserver地址
      proxy_http_version 1.1;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $remote_addr;
  }
}

5.访问验证

使用浏览器访问Nginx服务的URL —https://192.168.186.147

浏览器需支持国密SSL协议，如360安全浏览器、奇安信可信浏览器、密信浏览器；

以360安全浏览器为例，需在设置中打开“启用国密SSL协议支持”

点击证书显示：您与192.168.186.147之间连接采用国密加密套件进行了加密。则配置成功。

---

Jumpserver官方也更新了国密改造的方法：
参阅 https://docs.jumpserver.org/zh/master/admin-guide/gmssl/#_1