diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index e81abfc43e7..c5a2e9ffe6d 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -16,6 +16,8 @@ https: # The path of cert and key files for nginx certificate: /your/certificate/path private_key: /your/private/key/path + # configure ssl protocols (default: TLSv1.2 TLSv1.3) + # ssl_protocols: TLSv1.2 TLSv1.3 # enable strong ssl ciphers (default: false) # strong_ssl_ciphers: false @@ -206,7 +208,7 @@ _version: 2.11.0 # # host for redis+sentinel: # # :,:,: # host: redis:6379 -# password: +# password: # # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH form. # # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892 # # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage diff --git a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja index 6fa2bae788e..b5657627443 100644 --- a/make/photon/prepare/templates/nginx/nginx.https.conf.jinja +++ b/make/photon/prepare/templates/nginx/nginx.https.conf.jinja @@ -63,7 +63,11 @@ http { ssl_certificate_key {{ssl_cert_key}}; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html +{% if ssl_protocols is defined %} + ssl_protocols {{ssl_protocols}}; +{% else %} ssl_protocols TLSv1.2 TLSv1.3; +{% endif %} {% if strong_ssl_ciphers %} ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; {% else %} diff --git a/make/photon/prepare/templates/portal/nginx.conf.jinja b/make/photon/prepare/templates/portal/nginx.conf.jinja index 85a68a094cc..9af1bb7d413 100644 --- a/make/photon/prepare/templates/portal/nginx.conf.jinja +++ b/make/photon/prepare/templates/portal/nginx.conf.jinja @@ -27,7 +27,11 @@ http { ssl_certificate /etc/harbor/tls/portal.crt; ssl_certificate_key /etc/harbor/tls/portal.key; + {% if ssl_protocols is defined %} + ssl_protocols {{ssl_protocols}}; + {% else %} ssl_protocols TLSv1.2 TLSv1.3; + {% endif %} {% if strong_ssl_ciphers %} ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; {% else %} diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index aff7867295f..0843616c6c4 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -299,11 +299,16 @@ def parse_yaml_config(config_file_path, with_trivy): external_database=config_dict['external_database']) else: config_dict['internal_tls'] = InternalTLS() + + # ssl_protocols config + if https_config: + config_dict['ssl_protocols'] = https_config.get('ssl_protocols') + # the configure item apply to internal and external tls communication # for compatibility, user could configure the strong_ssl_ciphers either in https section or under internal_tls section, # but it is more reasonable to configure it in https_config if https_config: - config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') + config_dict['strong_ssl_ciphers'] = https_config.get('strong_ssl_ciphers') else: config_dict['strong_ssl_ciphers'] = False diff --git a/make/photon/prepare/utils/nginx.py b/make/photon/prepare/utils/nginx.py index 2872bafbe7c..be8d01b0ccc 100644 --- a/make/photon/prepare/utils/nginx.py +++ b/make/photon/prepare/utils/nginx.py @@ -64,6 +64,7 @@ def render_nginx_template(config_dict): ssl_cert_key=SSL_CERT_KEY_PATH, internal_tls=config_dict['internal_tls'], metric=config_dict['metric'], + ssl_protocols=config_dict['ssl_protocols'], strong_ssl_ciphers=config_dict['strong_ssl_ciphers'], ip_family=config_dict['ip_family']) location_file_pattern = CUSTOM_NGINX_LOCATION_FILE_PATTERN_HTTPS diff --git a/make/photon/prepare/utils/portal.py b/make/photon/prepare/utils/portal.py index 9211a5df72d..4a1a751c18e 100644 --- a/make/photon/prepare/utils/portal.py +++ b/make/photon/prepare/utils/portal.py @@ -17,5 +17,6 @@ def prepare_portal(config_dict): ip_family=config_dict['ip_family'], uid=DEFAULT_UID, gid=DEFAULT_GID, + ssl_protocols=config_dict['ssl_protocols'], strong_ssl_ciphers=config_dict['strong_ssl_ciphers'] )