mirror of
https://github.com/goharbor/harbor.git
synced 2024-09-21 02:01:29 +02:00
Move strong_ssl_ciphers to top level in harbor.yaml (#19914)
fixes #19912 Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit is contained in:
parent
c5790ced14
commit
2b6608fb52
@ -16,6 +16,8 @@ https:
|
|||||||
# The path of cert and key files for nginx
|
# The path of cert and key files for nginx
|
||||||
certificate: /your/certificate/path
|
certificate: /your/certificate/path
|
||||||
private_key: /your/private/key/path
|
private_key: /your/private/key/path
|
||||||
|
# enable strong ssl ciphers (default: false)
|
||||||
|
# strong_ssl_ciphers: false
|
||||||
|
|
||||||
# # Harbor will set ipv4 enabled only by defualt if this block is not configured
|
# # Harbor will set ipv4 enabled only by defualt if this block is not configured
|
||||||
# # Otherwise, please uncomment this block to configure your own ip_family stacks
|
# # Otherwise, please uncomment this block to configure your own ip_family stacks
|
||||||
@ -33,8 +35,7 @@ https:
|
|||||||
# enabled: true
|
# enabled: true
|
||||||
# # put your cert and key files on dir
|
# # put your cert and key files on dir
|
||||||
# dir: /etc/harbor/tls/internal
|
# dir: /etc/harbor/tls/internal
|
||||||
# # enable strong ssl ciphers (default: false)
|
|
||||||
# strong_ssl_ciphers: false
|
|
||||||
|
|
||||||
# Uncomment external_url if you want to enable external proxy
|
# Uncomment external_url if you want to enable external proxy
|
||||||
# And when it enabled the hostname will no longer used
|
# And when it enabled the hostname will no longer used
|
||||||
|
@ -23,6 +23,12 @@ https:
|
|||||||
# The path of cert and key files for nginx
|
# The path of cert and key files for nginx
|
||||||
certificate: {{ https.certificate }}
|
certificate: {{ https.certificate }}
|
||||||
private_key: {{ https.private_key }}
|
private_key: {{ https.private_key }}
|
||||||
|
# enable strong ssl ciphers (default: false)
|
||||||
|
{% if strong_ssl_ciphers is defined %}
|
||||||
|
strong_ssl_ciphers: {{ strong_ssl_ciphers | lower }}
|
||||||
|
{% else %}
|
||||||
|
strong_ssl_ciphers: false
|
||||||
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
# https related config
|
# https related config
|
||||||
# https:
|
# https:
|
||||||
@ -31,6 +37,8 @@ https:
|
|||||||
# # The path of cert and key files for nginx
|
# # The path of cert and key files for nginx
|
||||||
# certificate: /your/certificate/path
|
# certificate: /your/certificate/path
|
||||||
# private_key: /your/private/key/path
|
# private_key: /your/private/key/path
|
||||||
|
# enable strong ssl ciphers (default: false)
|
||||||
|
# strong_ssl_ciphers: false
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if internal_tls is defined %}
|
{% if internal_tls is defined %}
|
||||||
@ -38,13 +46,9 @@ https:
|
|||||||
internal_tls:
|
internal_tls:
|
||||||
# set enabled to true means internal tls is enabled
|
# set enabled to true means internal tls is enabled
|
||||||
enabled: {{ internal_tls.enabled | lower }}
|
enabled: {{ internal_tls.enabled | lower }}
|
||||||
|
{% if internal_tls.dir is defined %}
|
||||||
# put your cert and key files on dir
|
# put your cert and key files on dir
|
||||||
dir: {{ internal_tls.dir }}
|
dir: {{ internal_tls.dir }}
|
||||||
# enable strong ssl ciphers (default: false)
|
|
||||||
{% if internal_tls.strong_ssl_ciphers is defined %}
|
|
||||||
strong_ssl_ciphers: {{ internal_tls.strong_ssl_ciphers | lower }}
|
|
||||||
{% else %}
|
|
||||||
strong_ssl_ciphers: false
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
# internal_tls:
|
# internal_tls:
|
||||||
@ -52,8 +56,6 @@ internal_tls:
|
|||||||
# enabled: true
|
# enabled: true
|
||||||
# # put your cert and key files on dir
|
# # put your cert and key files on dir
|
||||||
# dir: /etc/harbor/tls/internal
|
# dir: /etc/harbor/tls/internal
|
||||||
# # enable strong ssl ciphers (default: false)
|
|
||||||
# strong_ssl_ciphers: false
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Uncomment external_url if you want to enable external proxy
|
# Uncomment external_url if you want to enable external proxy
|
||||||
|
@ -64,7 +64,7 @@ http {
|
|||||||
|
|
||||||
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
{% if internal_tls.strong_ssl_ciphers %}
|
{% if strong_ssl_ciphers %}
|
||||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||||
{% else %}
|
{% else %}
|
||||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||||
|
@ -28,7 +28,7 @@ http {
|
|||||||
ssl_certificate_key /etc/harbor/tls/portal.key;
|
ssl_certificate_key /etc/harbor/tls/portal.key;
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
{% if internal_tls.strong_ssl_ciphers %}
|
{% if strong_ssl_ciphers %}
|
||||||
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
|
||||||
{% else %}
|
{% else %}
|
||||||
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
||||||
|
@ -299,6 +299,14 @@ def parse_yaml_config(config_file_path, with_trivy):
|
|||||||
external_database=config_dict['external_database'])
|
external_database=config_dict['external_database'])
|
||||||
else:
|
else:
|
||||||
config_dict['internal_tls'] = InternalTLS()
|
config_dict['internal_tls'] = InternalTLS()
|
||||||
|
# the configure item apply to internal and external tls communication
|
||||||
|
# for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
|
||||||
|
# but it is more reasonable to configure it in https_config
|
||||||
|
if https_config:
|
||||||
|
config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') or internal_tls_config.get('strong_ssl_ciphers')
|
||||||
|
else:
|
||||||
|
config_dict['strong_ssl_ciphers'] = False
|
||||||
|
|
||||||
|
|
||||||
# ip_family config
|
# ip_family config
|
||||||
config_dict['ip_family'] = configs.get('ip_family') or {'ipv4': {'enabled': True}, 'ipv6': {'enabled': False}}
|
config_dict['ip_family'] = configs.get('ip_family') or {'ipv4': {'enabled': True}, 'ipv6': {'enabled': False}}
|
||||||
|
@ -27,6 +27,12 @@ def read_conf(path):
|
|||||||
with open(path) as f:
|
with open(path) as f:
|
||||||
try:
|
try:
|
||||||
d = yaml.safe_load(f)
|
d = yaml.safe_load(f)
|
||||||
|
# the strong_ssl_ciphers configure item apply to internal and external tls communication
|
||||||
|
# for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
|
||||||
|
# but it will move to https section after migration
|
||||||
|
https_config = d.get("https") or {}
|
||||||
|
internal_tls = d.get('internal_tls') or {}
|
||||||
|
d['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') or internal_tls.get('strong_ssl_ciphers')
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
click.echo("parse config file err, make sure your harbor config version is above 1.8.0", e)
|
click.echo("parse config file err, make sure your harbor config version is above 1.8.0", e)
|
||||||
exit(-1)
|
exit(-1)
|
||||||
|
@ -64,6 +64,7 @@ def render_nginx_template(config_dict):
|
|||||||
ssl_cert_key=SSL_CERT_KEY_PATH,
|
ssl_cert_key=SSL_CERT_KEY_PATH,
|
||||||
internal_tls=config_dict['internal_tls'],
|
internal_tls=config_dict['internal_tls'],
|
||||||
metric=config_dict['metric'],
|
metric=config_dict['metric'],
|
||||||
|
strong_ssl_ciphers=config_dict['strong_ssl_ciphers'],
|
||||||
ip_family=config_dict['ip_family'])
|
ip_family=config_dict['ip_family'])
|
||||||
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS
|
||||||
|
|
||||||
|
@ -16,4 +16,6 @@ def prepare_portal(config_dict):
|
|||||||
internal_tls=config_dict['internal_tls'],
|
internal_tls=config_dict['internal_tls'],
|
||||||
ip_family=config_dict['ip_family'],
|
ip_family=config_dict['ip_family'],
|
||||||
uid=DEFAULT_UID,
|
uid=DEFAULT_UID,
|
||||||
gid=DEFAULT_GID)
|
gid=DEFAULT_GID,
|
||||||
|
strong_ssl_ciphers=config_dict['strong_ssl_ciphers']
|
||||||
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user