From 07744402d89cab98603b68f122867a09fd298869 Mon Sep 17 00:00:00 2001 From: Tan Jiang Date: Fri, 14 Oct 2016 17:13:15 +0800 Subject: [PATCH] prepare support configuring https --- .gitignore | 2 + Deploy/harbor.cfg | 6 ++ Deploy/prepare | 46 ++++++++++-- Deploy/templates/nginx/nginx.http.conf | 75 +++++++++++++++++++ .../nginx/nginx.https.conf | 34 ++++----- 5 files changed, 140 insertions(+), 23 deletions(-) create mode 100644 Deploy/templates/nginx/nginx.http.conf rename Deploy/{config => templates}/nginx/nginx.https.conf (67%) diff --git a/.gitignore b/.gitignore index 07315ad3f..13f454021 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,8 @@ Deploy/config/ui/env Deploy/config/ui/app.conf Deploy/config/db/env Deploy/config/jobservice/env +Deploy/config/nginx/nginx.conf +Deploy/config/nginx/cert/* Deploy/ui/harbor_ui Deploy/jobservice/harbor_jobservice ui/ui diff --git a/Deploy/harbor.cfg b/Deploy/harbor.cfg index 0726fbe73..df7c05485 100644 --- a/Deploy/harbor.cfg +++ b/Deploy/harbor.cfg @@ -84,4 +84,10 @@ crt_organization = organization crt_organizationalunit = organizational unit crt_commonname = example.com crt_email = example@example.com + + +#The path of cert and key files for nginx, they are applied only the protocol is set to https +ssl_cert = /path/to/server.crt +ssl_cert_key = /path/to/server.key +############# ##### diff --git a/Deploy/prepare b/Deploy/prepare index 35c4d9f03..ab22bf4a0 100755 --- a/Deploy/prepare +++ b/Deploy/prepare @@ -8,6 +8,7 @@ import os import sys import argparse import subprocess +import shutil from io import open if sys.version_info[:3][0] == 2: @@ -21,6 +22,19 @@ if sys.version_info[:3][0] == 3: def validate(conf): if len(conf.get("configuration", "secret_key")) != 16: raise Exception("Error: The length of secret key has to be 16 characters!") + protocol = rcp.get("configuration", "ui_url_protocol") + if protocol == "https": + if not rcp.has_option("configuration", "ssl_cert"): + raise Exception("Error: The protocol is https but attribute ssl_cert is not set") + cert_path = rcp.get("configuration", "ssl_cert") + if not os.path.isfile(cert_path): + raise Exception("Error: The path for certificate: %s is invalid" % cert_path) + if not rcp.has_option("configuration", "ssl_cert_key"): + raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set") + cert_key_path = rcp.get("configuration", "ssl_cert_key") + if not os.path.isfile(cert_key_path): + raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path) + parser = argparse.ArgumentParser() parser.add_argument('-conf', dest='cfgfile', default = 'harbor.cfg',type=str,help="the path of Harbor configuration file") @@ -37,7 +51,8 @@ rcp.readfp(conf) validate(rcp) hostname = rcp.get("configuration", "hostname") -ui_url = rcp.get("configuration", "ui_url_protocol") + "://" + hostname +protocol = rcp.get("configuration", "ui_url_protocol") +ui_url = protocol + "://" + hostname email_server = rcp.get("configuration", "email_server") email_server_port = rcp.get("configuration", "email_server_port") email_username = rcp.get("configuration", "email_username") @@ -65,6 +80,9 @@ ldap_scope = rcp.get("configuration", "ldap_scope") db_password = rcp.get("configuration", "db_password") self_registration = rcp.get("configuration", "self_registration") use_compressed_js = rcp.get("configuration", "use_compressed_js") +if protocol == "https": + cert_path = rcp.get("configuration", "ssl_cert") + cert_key_path = rcp.get("configuration", "ssl_cert_key") customize_crt = rcp.get("configuration", "customize_crt") crt_country = rcp.get("configuration", "crt_country") crt_state = rcp.get("configuration", "crt_state") @@ -108,15 +126,31 @@ ui_conf = os.path.join(config_dir, "ui", "app.conf") registry_conf = os.path.join(config_dir, "registry", "config.yml") db_conf_env = os.path.join(config_dir, "db", "env") job_conf_env = os.path.join(config_dir, "jobservice", "env") - -conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env ] +nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf") +cert_dir = os.path.join(config_dir, "nginx", "cert") +conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env, nginx_conf, cert_dir ] def rmdir(cf): for f in cf: - if os.path.exists(f): - print("Clearing the configuration file: %s" % f) - os.remove(f) + if os.path.isdir(f): + rmdir(map(lambda x: os.path.join(f,x), os.listdir(f))) + elif os.path.exists(f) and os.path.basename(f) != ".gitignore": + print("Clearing the configuration file: %s" % f) + os.remove(f) rmdir(conf_files) +if protocol == "https": + target_cert_path = os.path.join(cert_dir, os.path.basename(cert_path)) + shutil.copy2(cert_path,target_cert_path) + target_cert_key_path = os.path.join(cert_dir, os.path.basename(cert_key_path)) + shutil.copy2(cert_key_path,target_cert_key_path) + render(os.path.join(templates_dir, "nginx", "nginx.https.conf"), + nginx_conf, + ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)), + ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path))) +else: + render(os.path.join(templates_dir, "nginx", "nginx.http.conf"), + nginx_conf) + render(os.path.join(templates_dir, "ui", "env"), ui_conf_env, hostname=hostname, diff --git a/Deploy/templates/nginx/nginx.http.conf b/Deploy/templates/nginx/nginx.http.conf new file mode 100644 index 000000000..5972af5a7 --- /dev/null +++ b/Deploy/templates/nginx/nginx.http.conf @@ -0,0 +1,75 @@ +worker_processes auto; + +events { + worker_connections 1024; + use epoll; + multi_accept on; +} + +http { + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + + upstream registry { + server registry:5000; + } + + upstream ui { + server ui:80; + } + + + server { + listen 80; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + location / { + proxy_pass http://ui/; + proxy_set_header Host $$host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $$scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass http://registry/v2/; + proxy_set_header Host $$http_host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $$$$scheme; + + proxy_buffering off; + proxy_request_buffering off; + + } + + location /service/ { + proxy_pass http://ui/service/; + proxy_set_header Host $$host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; + + # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. + proxy_set_header X-Forwarded-Proto $$scheme; + + proxy_buffering off; + proxy_request_buffering off; + } + } +} diff --git a/Deploy/config/nginx/nginx.https.conf b/Deploy/templates/nginx/nginx.https.conf similarity index 67% rename from Deploy/config/nginx/nginx.https.conf rename to Deploy/templates/nginx/nginx.https.conf index 239c44c65..4f527ec87 100644 --- a/Deploy/config/nginx/nginx.https.conf +++ b/Deploy/templates/nginx/nginx.https.conf @@ -24,11 +24,11 @@ http { server { listen 443 ssl; - server_name harbordomain.com; +# server_name harbordomain.com; # SSL - ssl_certificate /etc/nginx/cert/harbordomain.crt; - ssl_certificate_key /etc/nginx/cert/harbordomain.key; + ssl_certificate $ssl_cert; + ssl_certificate_key $ssl_cert_key; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; @@ -44,12 +44,12 @@ http { location / { proxy_pass http://ui/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $$http_host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $$scheme; proxy_buffering off; proxy_request_buffering off; @@ -61,12 +61,12 @@ http { location /v2/ { proxy_pass http://registry/v2/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $$http_host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $$scheme; proxy_buffering off; proxy_request_buffering off; @@ -75,12 +75,12 @@ http { location /service/ { proxy_pass http://ui/service/; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $$http_host; + proxy_set_header X-Real-IP $$remote_addr; + proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $$scheme; proxy_buffering off; proxy_request_buffering off; @@ -88,7 +88,7 @@ http { } server { listen 80; - server_name harbordomain.com; - rewrite ^/(.*) https://$server_name:443/$1 permanent; + #server_name harbordomain.com; + return 301 https://$$host$$request_uri; } }