feat: expose ssl_protocols from nginx configuration in harbor.yml #20637
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thank you for contributing to Harbor!
Comprehensive Summary of your change
This PR adds
ssl_protocols
as a new configuration option toharbor.yml
. This allows users to customize the nginx protocols - by default both TLSv1.2 and TLSv1.3 will be allowed, but one can restrict this to TLSv1.3 only.There is no need to update the
ssl_ciphers
based on the configuredssl_protocols
because nginx automatically disables unsupported ciphers. I tested the following combinations in a local nginx instance:ssl_protocols
norstrong_ssl_ciphers
configured - both protocols and all ciphers will be acceptedssl_protocols
unset,strong_ssl_ciphers
enabled - both protocols will be accepted, with a restricted list of ciphersssl_protocols
set to TLSv1.3,strong_ssl_ciphers
disabled - only TLSv1.3 connections will be acceptedssl_protocols
set to TLSv1.3,strong_ssl_ciphers
enabled - only TLSv1.3 connections will be acceptedIssue being fixed
Fixes #20627
Please indicate you've done the following: