mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-01 13:37:47 +01:00
TLS update min version and cipher suits
min version set to tls 1.2 suit only use ecdhe and strenth above 256 Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
parent
009662a317
commit
b3db293091
@ -60,3 +60,24 @@ func GetInternalTLSConfig() (*tls.Config, error) {
|
||||
Certificates: []tls.Certificate{cert},
|
||||
}, nil
|
||||
}
|
||||
|
||||
// NewServerTLSConfig returns a modern tls config,
|
||||
// refer to https://blog.cloudflare.com/exposing-go-on-the-internet/
|
||||
func NewServerTLSConfig() *tls.Config {
|
||||
return &tls.Config{
|
||||
PreferServerCipherSuites: true,
|
||||
CurvePreferences: []tls.CurveID{
|
||||
tls.CurveP256,
|
||||
tls.X25519,
|
||||
},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
CipherSuites: []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
@ -24,6 +24,7 @@ import (
|
||||
|
||||
"github.com/astaxie/beego"
|
||||
_ "github.com/astaxie/beego/session/redis"
|
||||
|
||||
"github.com/goharbor/harbor/src/common/dao"
|
||||
common_http "github.com/goharbor/harbor/src/common/http"
|
||||
"github.com/goharbor/harbor/src/common/job"
|
||||
@ -163,10 +164,12 @@ func main() {
|
||||
iTLSCertPath := os.Getenv("INTERNAL_TLS_CERT_PATH")
|
||||
|
||||
log.Infof("load client key: %s client cert: %s", iTLSKeyPath, iTLSCertPath)
|
||||
beego.BConfig.Listen.EnableHTTP = false
|
||||
beego.BConfig.Listen.EnableHTTPS = true
|
||||
beego.BConfig.Listen.HTTPSPort = 8443
|
||||
beego.BConfig.Listen.HTTPSKeyFile = iTLSKeyPath
|
||||
beego.BConfig.Listen.HTTPSCertFile = iTLSCertPath
|
||||
beego.BeeApp.Server.TLSConfig = common_http.NewServerTLSConfig()
|
||||
}
|
||||
|
||||
log.Infof("Version: %s, Git commit: %s", version.ReleaseVersion, version.GitCommit)
|
||||
|
@ -70,14 +70,13 @@ func NewServer(ctx context.Context, router Router, cfg ServerConfig) *Server {
|
||||
WriteTimeout: 15 * time.Second,
|
||||
ReadTimeout: 15 * time.Second,
|
||||
IdleTimeout: 60 * time.Second,
|
||||
TLSConfig: commonhttp.NewServerTLSConfig(),
|
||||
}
|
||||
|
||||
// Initialize TLS/SSL config if protocol is https
|
||||
if cfg.Protocol == config.JobServiceProtocolHTTPS && commonhttp.InternalEnableVerifyClientCert() {
|
||||
logger.Infof("mTLS enabled ...")
|
||||
srv.TLSConfig = &tls.Config{
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
|
||||
apiServer.httpServer = srv
|
||||
|
@ -34,16 +34,15 @@ type RegistryCtl struct {
|
||||
// Start the registry controller
|
||||
func (s *RegistryCtl) Start() {
|
||||
regCtl := &http.Server{
|
||||
Addr: ":" + s.ServerConf.Port,
|
||||
Handler: s.Handler,
|
||||
Addr: ":" + s.ServerConf.Port,
|
||||
Handler: s.Handler,
|
||||
TLSConfig: common_http.NewServerTLSConfig(),
|
||||
}
|
||||
|
||||
var err error
|
||||
if s.ServerConf.Protocol == "https" {
|
||||
if common_http.InternalEnableVerifyClientCert() {
|
||||
regCtl.TLSConfig = &tls.Config{
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
regCtl.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
err = regCtl.ListenAndServeTLS(s.ServerConf.HTTPSConfig.Cert, s.ServerConf.HTTPSConfig.Key)
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user