Reinforcing instruction to use HTTPS over HTTP

docs/configure_https.md

@@ -1,8 +1,10 @@
 # Configuring Harbor with HTTPS Access
 
-Because Harbor does not ship with any certificates, it uses HTTP by default to serve registry requests.  However, it is highly recommended that security be enabled for any production environment. Harbor has an Nginx instance as a reverse proxy for all services, you can use the prepare script to configure Nginx to enable https.
+Because Harbor does not ship with any certificates, it uses HTTP by default to serve registry requests. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary, you must use HTTPS. 
 
-In a test or development environment, you may choose to use a self-signed certificate instead of the one from a trusted third-party CA. The followings will show you how to create your own CA, and use your CA to sign a server certificate and a client certificate. 
+Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to enable HTTPS.
+
+You can use certificates that are signed by a trusted third-party CA, or in  you can use self-signed certificates. The following sections describe how to create a CA, and how to use your CA to sign a server certificate and a client certificate. 
 
 ## Getting Certificate Authority
 

docs/installation_guide.md

@@ -118,16 +118,22 @@ The parameters are described below - note that at the very least, you will need
        - **host**: The URL of the syslog server.
        - **port**: The port on which the syslog server listens.
 
+- **https**: The protocol used to access the Portal and the token/notification service. 
+
+  - **port**: port number for HTTPS
+  - **certificate**: The path to the SSL certificate. This is only applied  when the protocol is set to HTTPS.
+  - **private_key**: The path to the SSL key. This is only applied when the protocol is set to HTTPS.
+
+**IMPORTANT**: Harbor does not ship with any certificates, and uses HTTP by default to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary, you must use HTTPS. 
+  
+You can use certificates that are signed by a trusted third-party CA, or in  you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see **[Configuring Harbor with HTTPS Access](configure_https.md)**.
+  
 ##### optional parameters
 
 - **http**:
-  - **port** : the port number of you http
+  - **port** : Port number for HTTP
 
-- **https**: The protocol used to access the Portal and the token/notification service.  If Notary is enabled, has to set to _https_.
+  **IMPORTANT**: Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.
-refer to **[Configuring Harbor with HTTPS Access](configure_https.md)**.
-  - **port**: port number for https
-  - **certificate**: The path of SSL certificate, it's applied only when the protocol is set to https.
-  - **private_key**: The path of SSL key, it's applied only when the protocol is set to https.
 
 - **external_url**: Enable it if use external proxy, and when it enabled the hostname will no longer used