Expose ssl_protocols from nginx configuration in harbor.yml

Signed-off-by: malmor <62105800+malmor@users.noreply.github.com>
This commit is contained in:
malmor 2024-06-20 08:50:09 +02:00
parent 02b3561fff
commit 2ee5dc62f9
No known key found for this signature in database
6 changed files with 19 additions and 2 deletions

View File

@ -16,6 +16,8 @@ https:
# The path of cert and key files for nginx # The path of cert and key files for nginx
certificate: /your/certificate/path certificate: /your/certificate/path
private_key: /your/private/key/path private_key: /your/private/key/path
# configure ssl protocols (default: TLSv1.2 TLSv1.3)
# ssl_protocols: TLSv1.2 TLSv1.3
# enable strong ssl ciphers (default: false) # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false # strong_ssl_ciphers: false
@ -206,7 +208,7 @@ _version: 2.11.0
# # host for redis+sentinel: # # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3> # # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379 # host: redis:6379
# password: # password:
# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form. # # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
# # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892 # # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
# # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage # # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage

View File

@ -63,7 +63,11 @@ http {
ssl_certificate_key {{ssl_cert_key}}; ssl_certificate_key {{ssl_cert_key}};
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
{% if ssl_protocols is defined %}
ssl_protocols {{ssl_protocols}};
{% else %}
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
{% endif %}
{% if strong_ssl_ciphers %} {% if strong_ssl_ciphers %}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{% else %} {% else %}

View File

@ -27,7 +27,11 @@ http {
ssl_certificate /etc/harbor/tls/portal.crt; ssl_certificate /etc/harbor/tls/portal.crt;
ssl_certificate_key /etc/harbor/tls/portal.key; ssl_certificate_key /etc/harbor/tls/portal.key;
{% if ssl_protocols is defined %}
ssl_protocols {{ssl_protocols}};
{% else %}
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
{% endif %}
{% if strong_ssl_ciphers %} {% if strong_ssl_ciphers %}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{% else %} {% else %}

View File

@ -299,11 +299,16 @@ def parse_yaml_config(config_file_path, with_trivy):
external_database=config_dict['external_database']) external_database=config_dict['external_database'])
else: else:
config_dict['internal_tls'] = InternalTLS() config_dict['internal_tls'] = InternalTLS()
# ssl_protocols config
if https_config:
config_dict['ssl_protocols'] = https_config.get('ssl_protocols')
# the configure item apply to internal and external tls communication # the configure item apply to internal and external tls communication
# for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section, # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section,
# but it is more reasonable to configure it in https_config # but it is more reasonable to configure it in https_config
if https_config: if https_config:
config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers')
else: else:
config_dict['strong_ssl_ciphers'] = False config_dict['strong_ssl_ciphers'] = False

View File

@ -64,6 +64,7 @@ def render_nginx_template(config_dict):
ssl_cert_key=SSL_CERT_KEY_PATH, ssl_cert_key=SSL_CERT_KEY_PATH,
internal_tls=config_dict['internal_tls'], internal_tls=config_dict['internal_tls'],
metric=config_dict['metric'], metric=config_dict['metric'],
ssl_protocols=config_dict['ssl_protocols'],
strong_ssl_ciphers=config_dict['strong_ssl_ciphers'], strong_ssl_ciphers=config_dict['strong_ssl_ciphers'],
ip_family=config_dict['ip_family']) ip_family=config_dict['ip_family'])
location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS

View File

@ -17,5 +17,6 @@ def prepare_portal(config_dict):
ip_family=config_dict['ip_family'], ip_family=config_dict['ip_family'],
uid=DEFAULT_UID, uid=DEFAULT_UID,
gid=DEFAULT_GID, gid=DEFAULT_GID,
ssl_protocols=config_dict['ssl_protocols'],
strong_ssl_ciphers=config_dict['strong_ssl_ciphers'] strong_ssl_ciphers=config_dict['strong_ssl_ciphers']
) )