From 2b6608fb52cf7b44f48ef792078635bce46256e8 Mon Sep 17 00:00:00 2001 From: "stonezdj(Daojun Zhang)" Date: Mon, 26 Feb 2024 13:08:35 +0800 Subject: [PATCH] Move strong_ssl_ciphers to top level in harbor.yaml (#19914) fixes #19912 Signed-off-by: stonezdj --- make/harbor.yml.tmpl | 5 +++-- .../migrations/version_2_10_0/harbor.yml.jinja | 16 +++++++++------- .../templates/nginx/nginx.https.conf.jinja | 2 +- .../prepare/templates/portal/nginx.conf.jinja | 2 +- make/photon/prepare/utils/configs.py | 10 +++++++++- make/photon/prepare/utils/migration.py | 6 ++++++ make/photon/prepare/utils/nginx.py | 1 + make/photon/prepare/utils/portal.py | 4 +++- 8 files changed, 33 insertions(+), 13 deletions(-) diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index d60c1fadd..8c5abe071 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -16,6 +16,8 @@ https: # The path of cert and key files for nginx certificate: /your/certificate/path private_key: /your/private/key/path + # enable strong ssl ciphers (default: false) + # strong_ssl_ciphers: false # # Harbor will set ipv4 enabled only by defualt if this block is not configured # # Otherwise, please uncomment this block to configure your own ip_family stacks @@ -33,8 +35,7 @@ https: # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal -# # enable strong ssl ciphers (default: false) -# strong_ssl_ciphers: false + # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used diff --git a/make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja b/make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja index 44a46968f..a6e07e915 100644 --- a/make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja +++ b/make/photon/prepare/migrations/version_2_10_0/harbor.yml.jinja @@ -23,6 +23,12 @@ https: # The path of cert and key files for nginx certificate: {{ https.certificate }} private_key: {{ https.private_key }} + # enable strong ssl ciphers (default: false) + {% if strong_ssl_ciphers is defined %} + strong_ssl_ciphers: {{ strong_ssl_ciphers | lower }} + {% else %} + strong_ssl_ciphers: false + {% endif %} {% else %} # https related config # https: @@ -31,6 +37,8 @@ https: # # The path of cert and key files for nginx # certificate: /your/certificate/path # private_key: /your/private/key/path +# enable strong ssl ciphers (default: false) +# strong_ssl_ciphers: false {% endif %} {% if internal_tls is defined %} @@ -38,13 +46,9 @@ https: internal_tls: # set enabled to true means internal tls is enabled enabled: {{ internal_tls.enabled | lower }} + {% if internal_tls.dir is defined %} # put your cert and key files on dir dir: {{ internal_tls.dir }} - # enable strong ssl ciphers (default: false) - {% if internal_tls.strong_ssl_ciphers is defined %} - strong_ssl_ciphers: {{ internal_tls.strong_ssl_ciphers | lower }} - {% else %} - strong_ssl_ciphers: false {% endif %} {% else %} # internal_tls: @@ -52,8 +56,6 @@ internal_tls: # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal -# # enable strong ssl ciphers (default: false) -# strong_ssl_ciphers: false {% endif %} # Uncomment external_url if you want to enable external proxy diff --git a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja index a5d0d8037..6fa2bae78 100644 --- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja @@ -64,7 +64,7 @@ http { # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.2 TLSv1.3; -{% if internal_tls.strong_ssl_ciphers %} +{% if strong_ssl_ciphers %} ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; {% else %} ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; diff --git a/make/photon/prepare/templates/portal/nginx.conf.jinja b/make/photon/prepare/templates/portal/nginx.conf.jinja index 3f17e7176..85a68a094 100644 --- a/make/photon/prepare/templates/portal/nginx.conf.jinja +++ b/make/photon/prepare/templates/portal/nginx.conf.jinja @@ -28,7 +28,7 @@ http { ssl_certificate_key /etc/harbor/tls/portal.key; ssl_protocols TLSv1.2 TLSv1.3; - {% if internal_tls.strong_ssl_ciphers %} + {% if strong_ssl_ciphers %} ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; {% else %} ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index a2ecc31af..3a1266215 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -299,7 +299,15 @@ def parse_yaml_config(config_file_path, with_trivy): external_database=config_dict['external_database']) else: config_dict['internal_tls'] = InternalTLS() - + # the configure item apply to internal and external tls communication + # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section, + # but it is more reasonable to configure it in https_config + if https_config: + config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') or internal_tls_config.get('strong_ssl_ciphers') + else: + config_dict['strong_ssl_ciphers'] = False + + # ip_family config config_dict['ip_family'] = configs.get('ip_family') or {'ipv4': {'enabled': True}, 'ipv6': {'enabled': False}} diff --git a/make/photon/prepare/utils/migration.py b/make/photon/prepare/utils/migration.py index 1389bae45..a29b1b9df 100644 --- a/make/photon/prepare/utils/migration.py +++ b/make/photon/prepare/utils/migration.py @@ -27,6 +27,12 @@ def read_conf(path): with open(path) as f: try: d = yaml.safe_load(f) + # the strong_ssl_ciphers configure item apply to internal and external tls communication + # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section, + # but it will move to https section after migration + https_config = d.get("https") or {} + internal_tls = d.get('internal_tls') or {} + d['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') or internal_tls.get('strong_ssl_ciphers') except Exception as e: click.echo("parse config file err, make sure your harbor config version is above 1.8.0", e) exit(-1) diff --git a/make/photon/prepare/utils/nginx.py b/make/photon/prepare/utils/nginx.py index 0b1ffb8a4..2872bafbe 100644 --- a/make/photon/prepare/utils/nginx.py +++ b/make/photon/prepare/utils/nginx.py @@ -64,6 +64,7 @@ def render_nginx_template(config_dict): ssl_cert_key=SSL_CERT_KEY_PATH, internal_tls=config_dict['internal_tls'], metric=config_dict['metric'], + strong_ssl_ciphers=config_dict['strong_ssl_ciphers'], ip_family=config_dict['ip_family']) location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS diff --git a/make/photon/prepare/utils/portal.py b/make/photon/prepare/utils/portal.py index d41de1264..9211a5df7 100644 --- a/make/photon/prepare/utils/portal.py +++ b/make/photon/prepare/utils/portal.py @@ -16,4 +16,6 @@ def prepare_portal(config_dict): internal_tls=config_dict['internal_tls'], ip_family=config_dict['ip_family'], uid=DEFAULT_UID, - gid=DEFAULT_GID) + gid=DEFAULT_GID, + strong_ssl_ciphers=config_dict['strong_ssl_ciphers'] + )