Upstream
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

http2 enabled and ciphers changed to get an A+ rating instead of B fr… (#16990) 

* Make strong cipher cfg optional
Signed-off-by: Stephan Hohn <stephan.hohn@tech11.com>

---------

Signed-off-by: Stephan Hohn <stephan.hohn@tech11.com>
Signed-off-by: MinerYang <yminer@vmware.com>
Co-authored-by: Stephan Hohn <stephan.hohn@tech11.com>
Co-authored-by: Wang Yan <wangyan@vmware.com>
Co-authored-by: MinerYang <yminer@vmware.com>
This commit is contained in:
Stephan Hohn 2023-05-29 04:37:57 +02:00 committed by GitHub
parent 11d6bb4437
commit 4f3393e615
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
make/harbor.yml.tmpl
View File

@ -23,6 +23,8 @@ https:
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used

5
make/photon/prepare/templates/portal/nginx.conf.jinja
View File

@ -21,9 +21,12 @@ http {
ssl_certificate /etc/harbor/tls/portal.crt;
ssl_certificate_key /etc/harbor/tls/portal.key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
{% if internal_tls.strong_ssl_ciphers %}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{% else %}
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
{% else %}