add a 4443 ssl server to nginx config

docs/use_notary.md

@@ -10,14 +10,13 @@ It can be done via setting envrironment variables:
 
 ```
 export DOCKER_CONTENT_TRUST=1
-export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5/notary
+export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443/
 ```
 
 ### Set alias for notary (optional)
 Because by default the local directory for storing meta files for notary client is different from docker client.  If you want to use notary client to manipulate the keys/meta files generated by Docker Content Trust, please set the alias to reduce the effort:
 
 ```
-alias notary="notary -s https//192.168.0.5 -d ~/.docker/trust --tlscacert  /
-etc/docker/certs.d/192.168.0.5/ca.crt"
+alias notary="notary -s https//192.168.0.5:4443 -d ~/.docker/trust --tlscacert  /etc/docker/certs.d/192.168.0.5/ca.crt"
 
 ```

make/common/templates/nginx/nginx.https.conf

@@ -20,7 +20,8 @@ http {
   upstream ui {
     server ui:80;
   }
-
+  
+  include /etc/nginx/conf.d/*.server.conf;
 
   server {
     listen 443 ssl;
@@ -42,8 +43,6 @@ http {
     # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
     chunked_transfer_encoding on;
 
-    include /etc/nginx/conf.d/*.location.conf;
-
     location / {
       proxy_pass http://ui/;
       proxy_set_header Host $$http_host;

make/common/templates/nginx/notary.location.conf

@@ -1,12 +0,0 @@
-location /notary/v2/ {
-  proxy_pass http://notary-server/v2/;
-  proxy_set_header Host $http_host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-  # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
-  proxy_set_header X-Forwarded-Proto $scheme;
-
-  proxy_buffering off;
-  proxy_request_buffering off;
-}

make/common/templates/nginx/notary.server.conf

@@ -0,0 +1,33 @@
+  server {
+    listen 4443 ssl;
+
+    # ssl
+    ssl_certificate /etc/nginx/cert/server.crt;
+    ssl_certificate_key /etc/nginx/cert/server.key;
+  
+    # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
+    ssl_protocols tlsv1.1 tlsv1.2;
+    ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:ssl:10m;
+  
+    # disable any limits to avoid http 413 for large image uploads
+    client_max_body_size 0;
+  
+    # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    location /v2/ {
+      proxy_pass http://notary-server/v2/;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_buffering off;
+      proxy_request_buffering off;
+    }
+  }
+

make/prepare

@@ -350,7 +350,7 @@ if args.notary_mode:
 
     print("Copying nginx configuration file for notary")
     shutil.copy2(os.path.join(templates_dir, "nginx", "notary.upstream.conf"), nginx_conf_d)
-    shutil.copy2(os.path.join(templates_dir, "nginx", "notary.location.conf"), nginx_conf_d)
+    shutil.copy2(os.path.join(templates_dir, "nginx", "notary.server.conf"), nginx_conf_d)
 
     default_alias = ''.join(random.choice(string.ascii_letters) for i in range(8))
     render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias)

tests/notarytest.sh

@@ -4,7 +4,7 @@ set -e
 
 TIMEOUT=10
 while [ $TIMEOUT -gt 0 ]; do
-    STATUS=$(curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1/notary/v2/ -kv)
+    STATUS=$(curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:4443/v2/ -kv)
     if [ $STATUS -eq 401 ]; then
 		echo "Notary is running success."
 		break
@@ -16,4 +16,4 @@ done
 if [ $TIMEOUT -eq 0 ]; then
     echo "Notary is running fail."
     exit 1
-fi
+fi