国密http3代理

1. 功能描述

NJet现已支持HTTP2和HTTP3代理功能,以及使用HTTP3代理时,支持使用国密双证书。

原国密server以及proxy配置请参考国密支持。

2. 指令说明

2.1 proxy_http_version

Syntax: proxy_http_version 2/3
Default:
Context: http,server,location

例如: proxy_http_version 2; 代理到后端server选择http2协议

proxy_http_version 3; 代理到后端server选择http3协议

2.2 proxy_ssl_conf_command

Syntax: proxy_ssl_conf_command 配置指定的密码套件
Default:
Context: http,server,location

例如:proxy_ssl_conf_command Ciphersuites TLS_SM2ECDH_SM4_GCM_SM3;

当后端server使用国密双证书时,配置该指令,指定国密算法套件。

3. 配置样例

njet.conf

helper broker /etc/njet/modules/njt_helper_broker_module.so conf/mqtt.conf; 
helper ctrl /etc/njet/modules/njt_helper_ctrl_module.so conf/ctrl.conf;

load_module /etc/njet/modules/njt_http_location_module.so; 
load_module /etc/njet/modules/njt_http_dyn_server_module.so;

user  root root;
worker_processes  2;

cluster_name helper;
node_name node1;

error_log  logs/error.log info;
pid        logs/njet.pid;


events {
    worker_connections  1024;
}


http {
  
    dyn_kv_conf conf/iot-work.conf;
    include       mime.types;
    default_type  application/octet-stream;
  
    access_log  logs/access.log;

    sendfile        on;

    keepalive_timeout  65;

    upstream backend1  {
   
         zone backend1 128k;
   
         server 127.0.0.1:5431;
   
    }
  
    upstream backend2 {
  
         zone backend2 128k;
   
         server 127.0.0.1:5432;
  
    }
  
    upstream backend3 {
  
        zone backend3 128k;
  
        server 127.0.0.1:5433;
    }
  
    server {
   
         listen 5454;
         server_name localhost;
 
         location / {
     
              proxy_http_version 3;
              proxy_pass https://backend1;
         }
   
         location /proxy_http3 {
     
     
             proxy_ssl_certificate     certs/ca/RSA/rsa.client.cer.pem;
             proxy_ssl_certificate_key certs/ca/RSA/rsa.client.key.pem;
             proxy_http_version 3;
             proxy_pass https://backend1;
     
         }
   
         location /proxy_http2 {
     
             proxy_ssl_certificate     certs/ca/RSA/rsa.client.cer.pem;
             proxy_ssl_certificate_key certs/ca/RSA/rsa.client.key.pem;
             proxy_http_version 2;
             proxy_pass https://backend2;
     
         }
   
         location /proxy_ntls {
     
             proxy_ssl_ntls on;
             proxy_ssl_conf_command Ciphersuites TLS_SM2ECDH_SM4_GCM_SM3;
             proxy_http_version 3;
             proxy_pass https://backend3;
             proxy_ssl_certificate certs/ca/NTLS/client_sign.crt certs/ca/NTLS/client_enc.crt;
             proxy_ssl_certificate_key certs/ca/NTLS/client_sign.key certs/ca/NTLS/client_enc.key;
     
         }
  
    }
  
    server {
  
        listen 5431 quic reuseport sndbuf=65535 rcvbuf=65535;
        listen 5431 ssl;
  
        server_name test.server.com;
  
        ssl_certificate      certs/ca/RSA/rsa.server.cer.pem;
        ssl_certificate_key    certs/ca/RSA/rsa.server.key.pem;
  
        ssl_verify_client   on;
        ssl_verify_depth    10;
        ssl_client_certificate certs/ca/RSA/rootca.cer;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_prefer_server_ciphers  on;

        location / {
            charset utf-8;
            default_type text/html;
            return 200 "5431 test http3 ok";
        }
  
    }
  
    server {

           listen 5432 ssl;

           ssl_verify_client   on;
           ssl_verify_depth    10;
           ssl_client_certificate certs/ca/RSA/rootca.cer;
   
           http2 on;
           ssl_protocols TLSv1.2 TLSv1.3;
           ssl_certificate     certs/ca/RSA/rsa.server.cer.pem;
           ssl_certificate_key certs/ca/RSA/rsa.server.key.pem;

           location / {
               return 200 "5432 test http2 ok";
           }


     }
   
     server {

             listen 5433 quic reuseport sndbuf=65535 rcvbuf=65535;
             listen 5433 ssl;

             ssl_verify_client   on;
             ssl_verify_depth    10;
             ssl_client_certificate certs/ca/NTLS/ca.crt;
             ssl_ntls on;
             http3 on;
             keepalive_requests 20000;
             keepalive_time     120;
             http3_max_concurrent_streams 1024;
             http3_stream_buffer_size 1024k;
             quic_gso on;
             ssl_protocols TLSv1.3;
             ssl_certificate certs/ca/NTLS/server_sign.crt certs/ca/NTLS/server_enc.crt;
             ssl_certificate_key certs/ca/NTLS/server_sign.key certs/ca/NTLS/server_enc.key;

              location / {
                    return 200 "5433 test ntls http3 ok";
        }
    }
   
}

4. 调用样例

4.1 代理使用HTTP2协议,后端开启HTTP2协议

发送

curl -v http://127.0.0.1:5454/proxy_http2

返回

*   Trying 127.0.0.1:5454...
* Connected to 127.0.0.1 (127.0.0.1) port 5454 (#0)
> GET /proxy_http2 HTTP/1.1
> Host: 127.0.0.1:5454
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: njet/3.0.1
< Date: Wed, 21 Aug 2024 09:57:12 GMT
< Content-Type: application/octet-stream
< Content-Length: 18
< Connection: keep-alive
< 
* Connection #0 to host 127.0.0.1 left intact
5432 test http2 ok

4.2 代理使用HTTP3协议,后端开启HTTP3协议

发送

curl -v http://127.0.0.1:5454/proxy_http3

返回

*   Trying 127.0.0.1:5454...
* Connected to 127.0.0.1 (127.0.0.1) port 5454 (#0)
> GET /proxy_http3 HTTP/1.1
> Host: 127.0.0.1:5454
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: njet/3.0.1
< Date: Wed, 21 Aug 2024 10:00:44 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 18
< Connection: keep-alive
< 
* Connection #0 to host 127.0.0.1 left intact
5431 test http3 ok

4.3 代理使用HTTP3协议,后端使用国密双证书

发送

curl -v http://127.0.0.1:5454/proxy_ntls

返回

curl -v http://127.0.0.1:5454/proxy_ntls
*   Trying 127.0.0.1:5454...
* Connected to 127.0.0.1 (127.0.0.1) port 5454 (#0)
> GET /proxy_ntls HTTP/1.1
> Host: 127.0.0.1:5454
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: njet/3.0.1
< Date: Wed, 21 Aug 2024 10:01:44 GMT
< Content-Type: application/octet-stream
< Content-Length: 23
< Connection: keep-alive
< 
* Connection #0 to host 127.0.0.1 left intact
5433 test ntls http3 ok