Nginx-gost
Инструкция по настройке nginx, отдающим страницы с кодированием по ГОСТ-2012.
1. Установка nginx:
# apt-get install nginx
2. Настройка OpenSSL
- Подробно рассмотрено в статье ГОСТ в OpenSSL.
3. Создание ключей
- Создаём закрытый ключ по алгоритму ГОСТ:
$ openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out gost.example.com.key- Создаём запрос:
$ openssl req -new -md_gost12_256 -key gost.example.com.key -out gost.example.com.csr -subj "/C=RU/L=Moscow/O=My site with GOST/CN=gost.example.com"- Подписываем запрос в УЦ, или подписываем запрос на сертификат своим "самоподписанным" ca.cer сертификатом и ключом ca.key (ГОСТ в OpenSSL):
$ openssl x509 -req -in gost.example.com.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out gost.example.com.cer -days 5000
4. Создаём каталог /etc/nginx/ssl и копируем туда файлы gost.example.com.cer и gost.example.com.key:
# mkdir /etc/nginx/ssl # cp /home/user/gost.example.com.cer /etc/nginx/ssl/ # cp /home/user/gost.example.com.key /etc/nginx/ssl/
5. Создаём файл конфигурации /etc/nginx/sites-available.d/gost.conf:
server { server_name gost.example.com; listen 443 ssl; ssl_certificate /etc/nginx/ssl/gost.example.com.cer; ssl_certificate_key /etc/nginx/ssl/gost.example.com.key; ssl_ciphers GOST2012-GOST8912-GOST8912:HIGH:MEDIUM; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://gost.example.com; } }
Примечание: В примере указано имя сервера gost.example.com. Укажите имя своего сервера.
6. Активируем конфигурацию:
# ln -s ../sites-available.d/default.conf /etc/nginx/sites-enabled.d/default.conf # ln -s ../sites-available.d/gost.conf /etc/nginx/sites-enabled.d/gost.conf
7. Запускаем nginx:
# systemctl start nginx
8. Проверяем подключение:
$ openssl s_client -connect gost.example.com:443
CONNECTED(00000003)
depth=0 C = RU, L = Moscow, O = My site with GOST, CN = gost.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, L = Moscow, O = My site with GOST, CN = gost.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = RU, L = Moscow, O = My site with GOST, CN = gost.example.com
i:emailAddress = support@cryptopro.ru, C = RU, L = Moscow, O = CRYPTO-PRO LLC, CN = CRYPTO-PRO Test Center 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLDCCAtugAwIBAgITEgBDYxvRc5jX7HzAXAABAENjGzAIBgYqhQMCAgMwfzEj
MCEGCSqGSIb3DQEJARYUc3VwcG9ydEBjcnlwdG9wcm8ucnUxCzAJBgNVBAYTAlJV
MQ8wDQYDVQQHEwZNb3Njb3cxFzAVBgNVBAoTDkNSWVBUTy1QUk8gTExDMSEwHwYD
VQQDExhDUllQVE8tUFJPIFRlc3QgQ2VudGVyIDIwHhcNMjAwNDE1MDc1OTI0WhcN
MjAwNzE1MDgwOTI0WjBXMQswCQYDVQQGEwJSVTERMA8GA1UEBwwIS2VtZXJvdm8x
GjAYBgNVBAoMEU15IHNpdGUgd2l0aCBHT1NUMRkwFwYDVQQDDBBnb3N0LmV4YW1w
bGUuY29tMGYwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIDQwAEQOus
D0k9picnsbVuCtks2W0z20ArSBC5MwImGeF3JM4UuQcf39qBFLuscbB6F3qe/Pbr
TrxUDtgounhsgiG5sKSjggFRMIIBTTAdBgNVHQ4EFgQUl+b3HftI3NMo4vUc3A0a
+LwrnOYwHwYDVR0jBBgwFoAUToM+FGnv7F16lStfEf43MhZJVSswXAYDVR0fBFUw
UzBRoE+gTYZLaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUvQ2VydEVucm9sbC9D
UllQVE8tUFJPJTIwVGVzdCUyMENlbnRlciUyMDIoMSkuY3JsMIGsBggrBgEFBQcB
AQSBnzCBnDBkBggrBgEFBQcwAoZYaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUv
Q2VydEVucm9sbC90ZXN0LWNhLTIwMTRfQ1JZUFRPLVBSTyUyMFRlc3QlMjBDZW50
ZXIlMjAyKDEpLmNydDA0BggrBgEFBQcwAYYoaHR0cDovL3Rlc3RjYS5jcnlwdG9w
cm8ucnUvb2NzcC9vY3NwLnNyZjAIBgYqhQMCAgMDQQA1gRqEqqTz7Ut3rxvodkFN
Pa0OHXV8bx64Z+VAKAj0pLFmNwQil6zFCPeqLkEzTnvEZrZQOC/fW4XOBnRJe0a5
-----END CERTIFICATE-----
subject=C = RU, L = Moscow, O = My site with GOST, CN = gost.example.com
issuer=emailAddress = support@cryptopro.ru, C = RU, L = Moscow, O = CRYPTO-PRO LLC, CN = CRYPTO-PRO Test Center 2
---
No client certificate CA names sent
---
SSL handshake has read 1160 bytes and written 543 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : GOST2012-GOST8912-GOST8912
...
Совет: для работы с таким сервером можно использовать elinks или chromium-gost:
