mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-11 19:37:18 +01:00
da359f609f
add mtls related code in core Signed-off-by: DQ <dengq@vmware.com>
227 lines
7.1 KiB
Django/Jinja
227 lines
7.1 KiB
Django/Jinja
worker_processes auto;
|
|
pid /tmp/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
use epoll;
|
|
multi_accept on;
|
|
}
|
|
|
|
http {
|
|
client_body_temp_path /tmp/client_body_temp;
|
|
proxy_temp_path /tmp/proxy_temp;
|
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
scgi_temp_path /tmp/scgi_temp;
|
|
tcp_nodelay on;
|
|
include /etc/nginx/conf.d/*.upstream.conf;
|
|
|
|
# this is necessary for us to be able to disable request buffering in all cases
|
|
proxy_http_version 1.1;
|
|
|
|
upstream core {
|
|
{% if internal_tls.enabled %}
|
|
server core:8443;
|
|
{% else %}
|
|
server core:8080;
|
|
{% endif %}
|
|
}
|
|
|
|
upstream portal {
|
|
server portal:8080;
|
|
}
|
|
|
|
log_format timed_combined '$remote_addr - '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" '
|
|
'$request_time $upstream_response_time $pipe';
|
|
|
|
access_log /dev/stdout timed_combined;
|
|
|
|
include /etc/nginx/conf.d/*.server.conf;
|
|
|
|
server {
|
|
listen 8443 ssl;
|
|
# server_name harbordomain.com;
|
|
server_tokens off;
|
|
# SSL
|
|
ssl_certificate {{ssl_cert}};
|
|
ssl_certificate_key {{ssl_cert_key}};
|
|
|
|
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
ssl_protocols TLSv1.2;
|
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
# disable any limits to avoid HTTP 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
# Add extra headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
add_header X-Frame-Options DENY;
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
|
|
# costumized location config file can place to /etc/nginx dir with prefix harbor.https. and suffix .conf
|
|
include /etc/nginx/conf.d/harbor.https.*.conf;
|
|
|
|
location / {
|
|
proxy_pass http://portal/;
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_cookie_path / "/; HttpOnly; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /c/ {
|
|
{% if internal_tls.enabled %}
|
|
proxy_pass https://core/c/;
|
|
|
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
|
proxy_ssl_trusted_certificate /etc/harbor/tls/harbor_internal_ca.crt;
|
|
proxy_ssl_verify_depth 2;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
{% else %}
|
|
proxy_pass http://core/c/;
|
|
{% endif %}
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /api/ {
|
|
{% if internal_tls.enabled %}
|
|
proxy_pass https://core/api/;
|
|
|
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
|
proxy_ssl_trusted_certificate /etc/harbor/tls/harbor_internal_ca.crt;
|
|
proxy_ssl_verify_depth 2;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
{% else %}
|
|
proxy_pass http://core/api/;
|
|
{% endif %}
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /chartrepo/ {
|
|
{% if internal_tls.enabled %}
|
|
proxy_pass https://core/chartrepo/;
|
|
|
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
|
proxy_ssl_trusted_certificate /etc/harbor/tls/harbor_internal_ca.crt;
|
|
proxy_ssl_verify_depth 2;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
{% else %}
|
|
proxy_pass http://core/chartrepo/;
|
|
{% endif %}
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /v1/ {
|
|
return 404;
|
|
}
|
|
|
|
location /v2/ {
|
|
{% if internal_tls.enabled %}
|
|
proxy_pass https://core/v2/;
|
|
|
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
|
proxy_ssl_trusted_certificate /etc/harbor/tls/harbor_internal_ca.crt;
|
|
proxy_ssl_verify_depth 2;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
{% else %}
|
|
proxy_pass http://core/v2/;
|
|
{% endif %}
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/ {
|
|
{% if internal_tls.enabled %}
|
|
proxy_pass https://core/service/;
|
|
|
|
proxy_ssl_certificate /etc/harbor/tls/proxy.crt;
|
|
proxy_ssl_certificate_key /etc/harbor/tls/proxy.key;
|
|
proxy_ssl_trusted_certificate /etc/harbor/tls/harbor_internal_ca.crt;
|
|
proxy_ssl_verify_depth 2;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
{% else %}
|
|
proxy_pass http://core/service/;
|
|
{% endif %}
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_cookie_path / "/; Secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/notifications {
|
|
return 404;
|
|
}
|
|
}
|
|
server {
|
|
listen 8080;
|
|
#server_name harbordomain.com;
|
|
return 308 https://{{https_redirect}}$request_uri;
|
|
}
|
|
}
|