harbor https改造
背景
由于业务需求,需要将本地harbor仓库暴露到互联网供其他地区的harbor仓库做同步,所以必须将harbor改造为https,使得数据传输加密。
方法
- 直接在harbor本身上改造,更改harbor.yml文件,将协议改成https等,证书可自签,可通过购买信任证书
- 在harbor前面部署nginx,在nginx层面加密,然后代理到后端http harbor
步骤
本次采用第二种方式,部署nginx代理harbor
-
harbor本身无需改动,仍然为http,harbor.yml配置如下
harbor配置# Configuration file of Harbor# The IP address or hostname to access admin UI and registry service.# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.hostname: 172.22.85.56# http related confighttp:# port for http, default is 80. If https enabled, this port will redirect to https portport: 80# https related config# https:# # https port for harbor, default is 443# port: 443# # The path of cert and key files for nginx# certificate: /your/certificate/path# private_key: /your/private/key/path# Uncomment external_url if you want to enable external proxy# And when it enabled the hostname will no longer used# external_url: https://reg.mydomain.com:8433# The initial password of Harbor admin# It only works in first time to install harbor# Remember Change the admin password from UI after launching Harbor.harbor_admin_password: Harbor@xfyl.com# Harbor DB configurationdatabase:# The password for the root user of Harbor DB. Change this before any production use.password: root123# The default data volumedata_volume:/var/lib/docker/harbor/data# Harbor Storage settings by default is using /data dir on local filesystem# Uncomment storage_service setting If you want to using external storage# storage_service:# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore# # of registry's and chart repository's containers. This is usually needed when the user hosts a internal storage with self signed certificate.# ca_bundle:# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/# filesystem:# maxthreads: 100# # set disable to true when you want to disable registry redirect# redirect:# disabled: false# Clair configurationclair:# The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.updaters_interval: 12# Config http proxy for Clair, e.g. http://my.proxy.com:3128# Clair doesn't need to connect to harbor internal components via http proxy.http_proxy:https_proxy:no_proxy: 127.0.0.1,localhost,core,registryjobservice:# Maximum number of job workers in job servicemax_job_workers: 10chart:# Change the value of absolute_url to enabled can enable absolute url in chartabsolute_url: disabled# Log configurationslog:# options are debug, info, warning, error, fatallevel: info# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.rotate_count: 50# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G# are all valid.rotate_size: 200M# The directory on your host that store loglocation:/var/log/harbor#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!_version: 1.8.0# Uncomment external_database if using external database.# external_database:# harbor:# host: harbor_db_host# port: harbor_db_port# db_name: harbor_db_name# username: harbor_db_username# password: harbor_db_password# ssl_mode: disable# clair:# host: clair_db_host# port: clair_db_port# db_name: clair_db_name# username: clair_db_username# password: clair_db_password# ssl_mode: disable# notary_signer:# host: notary_signer_db_host# port: notary_signer_db_port# db_name: notary_signer_db_name# username: notary_signer_db_username# password: notary_signer_db_password# ssl_mode: disable# notary_server:# host: notary_server_db_host# port: notary_server_db_port# db_name: notary_server_db_name# username: notary_server_db_username# password: notary_server_db_password# ssl_mode: disable# Uncomment external_redis if using external Redis server# external_redis:# host: redis# port: 6379# password:# # db_index 0 is for core, it's unchangeable# registry_db_index: 1# jobservice_db_index: 2# chartmuseum_db_index: 3# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.# uaa:# ca_file: /path/to/ca
- 这块配置(common/config/registry/config.yml)需要改动,改为公网的域名,不然docker login 会报错unauthenticate,因为无法获取内部ip的token,
registry配置
auth: token: issuer: harbor-token-issuer realm: https://hub.iflyhealth.com:8098/service/token rootcertbundle: /etc/registry/root.crt service: harbor-registry |
- 部署nginx,在nginx上配置ssl证书,一定要将红框内注释,不然docker push 会报错:blob upload unkown
nginx配置
server { listen 8098; server_name hub.iflyhealth.com; ssl on; ssl_certificate /root/cert/iflyhealth.crt; ssl_certificate_key /root/cert/iflyhealth.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:!RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; gzip on; gzip_static on; gzip_vary on; charset utf-8; #client_max_body_size 5m; location / { proxy_pass http://harbor; #proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;} location /v2/ { proxy_pass http://harbor/v2/; #proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } |
