Skip to content

Use Guomi Gateway to proxy DCE 5.0

Follow the steps below to configure the National Secret Gateway for DCE 5.0.

Software Introduction

Tengine: Tengine is a web server project initiated by taobao.com. Based on Nginx, it adds many advanced features and features for the needs of high-traffic websites.

Tongsuo: Formerly known as BabaSSL, Tongsuo is an open-source cryptographic library that offers a range of modern cryptographic algorithms and secure communication protocols. It is designed to support a variety of use cases, including storage, network security, key management, and privacy computing. By providing foundational cryptographic capabilities, Tongsuo ensures the privacy, integrity, and authenticity of data during transmission, storage, and usage. It also enhances security throughout the data lifecycle, offering robust privacy protection and security features.

Preparation

A Linux host with Docker installed and internet access.

Compile and install Tengine & Tongsuo

Note

This configuration is for reference only.

FROM docker.m.daocloud.io/debian:11.3

# Version
ENV TENGINE_VERSION="2.3.4" \
     TONGSUO_VERSION="8.3.2"

# Install required system packages and dependencies
RUN apt update && \
     apt -y install \
     wget \
     gcc \
     make \
     libpcre3 \
     libpcre3-dev \
     zlib1g-dev \
     perl \
     && apt clean

#Build tengine
RUN mkdir -p /tmp/pkg/cache/ && cd /tmp/pkg/cache/ \
     && wget https://github.com/alibaba/tengine/archive/refs/tags/${TENGINE_VERSION}.tar.gz -O tengine-${TENGINE_VERSION}.tar.gz \
     && tar zxvf tengine-${TENGINE_VERSION}.tar.gz\
     && wget https://github.com/Tongsuo-Project/Tongsuo/archive/refs/tags/${TONGSUO_VERSION}.tar.gz -O Tongsuo-${TONGSUO_VERSION}.tar.gz \
     && tar zxvf Tongsuo-${TONGSUO_VERSION}.tar.gz \
     && cd tengine-${TENGINE_VERSION} \
     && ./configure \
         --add-module=modules/ngx_openssl_ntls \
         --with-openssl=/tmp/pkg/cache/Tongsuo-${TONGSUO_VERSION} \
         --with-openssl-opt="--strict-warnings enable-ntls" \
         --with-http_ssl_module --with-stream \
         --with-stream_ssl_module --with-stream_sni \
     && make \
     && make install \
     && ln -s /usr/local/nginx/sbin/nginx /usr/sbin/ \
     && rm -rf /tmp/pkg/cache

EXPOSE 80 443
STOP SIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]

docker build -t tengine:0.0.1 .

Generate SSL certificates

Generate SM2 and RSA certificates for SSL.

Note

This certificate is only applicable to the test environment.

You can refer to the official documentation of Yuque to use Tongsuo to generate SSL certificates, or visit the GM SSL Lab to apply for SM2 certificates.

SM2 Credentials

-rw-r--r-- 1 root root 749 Dec 8 02:59 sm2.*.io.enc.crt.pem
-rw-r--r-- 1 root root 258 Dec 8 02:59 sm2.*.io.enc.key.pem
-rw-r--r-- 1 root root 749 Dec 8 02:59 sm2.*.io.sig.crt.pem
-rw-r--r-- 1 root root 258 Dec 8 02:59 sm2.*.io.sig.key.pem

RSA certificate (optional)

-rw-r--r-- 1 root root 216 Dec 8 03:21 rsa.*.io
-rw-r--r-- 1 root root 4096 Dec 8 02:59 sm2.*.io

Configure SSL certificate for nginx

Both SM2 and RSA certificates are supported. The advantage of dual certificates is: when the browser does not support the national secret certificate, it will automatically switch to the RSA certificate.

For more detailed configuration, refer to Yuque Official Documentation.

# Enter the nginx configuration file storage directory
cd /usr/local/nginx/conf

# Create a cert folder for storing SSL certificates
mkdir cert

# Copy the SM2 and RSA (optional) certificates to `/usr/local/nginx/conf/cert` directory
cp sm2.*.enc.crt.pem sm2.*.io.enc.key.pem sm2.*.sig.crt.pem sm2.*.sig.key.pem /usr/local/nginx/conf/cert
cp rsa.*.crt.pem rsa.*.key.pem /usr/local/nginx/conf/cert

# Edit nginx.conf configuration
vim nginx.conf
...
server {
   listen 443 ssl;
   proxy_http_version 1.1;
   # Enable the national secret function
   enable_ntls on;

   # International RSA certificate (optional)
   ssl_certificate /usr/local/nginx/conf/cert/rsa.demo-dev.daocloud.io.crt.pem;
   ssl_certificate_key /usr/local/nginx/conf/cert/rsa.demo-dev.daocloud.io.key.pem;

   # National secret signature certificate
   ssl_sign_certificate /usr/local/nginx/conf/cert/sm2.demo-dev.daocloud.io.sig.crt.pem;
   ssl_sign_certificate_key /usr/local/nginx/conf/cert/sm2.demo-dev.daocloud.io.sig.key.pem;
   # National encryption certificate
   ssl_enc_certificate /usr/local/nginx/conf/cert/sm2.demo-dev.daocloud.io.enc.crt.pem;
   ssl_enc_certificate_key /usr/local/nginx/conf/cert/sm2.demo-dev.daocloud.io.enc.key.pem;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

   location / {
     proxy_set_header Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header REMOTE-HOST $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass https://istio-ingressgateway.istio-system.svc.cluster.local;
   }
}

Reload nginx to make the configuration take effect

nginx -s reload

Next step

After the successful deployment of the National Secret Gateway, custom DCE 5.0 reverse proxy server address.

Comments