配置harbor支持域名以https方式对外提供服务
配置harbor支持域名以https方式对外提供服务
harbor服务器
外网ip: 1.1.1.2
内网IP: 192.168.254.168
1.修改docker-compose.yml文件
主要是修改 nginx 对外暴露端口为443
proxy: image: goharbor/nginx-photon:v1.8.1 container_name: nginx restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - ./common/config/nginx:/etc/nginx:z networks: - harbor dns_search: . ports: - 443:443
# cat /usr/local/harbor/docker-compose.yml
version: '2.3' services: log: image: goharbor/harbor-log:v1.8.1 container_name: harbor-log restart: always dns_search: . cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - /data/harbor/log/:/var/log/docker/:z - ./common/config/log/:/etc/logrotate.d/:z ports: - 127.0.0.1:1514:10514 networks: - harbor registry: image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1 container_name: registry restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/harbor/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: /data/harbor/secret/registry/root.crt target: /etc/registry/root.crt networks: - harbor dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registry" registryctl: image: goharbor/harbor-registryctl:v1.8.1 container_name: registryctl env_file: - ./common/config/registryctl/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/harbor/registry:/storage:z - ./common/config/registry/:/etc/registry/:z - type: bind source: ./common/config/registryctl/config.yml target: /etc/registryctl/config.yml networks: - harbor dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "registryctl" postgresql: image: goharbor/harbor-db:v1.8.1 container_name: harbor-db restart: always cap_drop: - ALL cap_add: - CHOWN - DAC_OVERRIDE - SETGID - SETUID volumes: - /data/harbor/database:/var/lib/postgresql/data:z networks: harbor: dns_search: . env_file: - ./common/config/db/env depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "postgresql" core: image: goharbor/harbor-core:v1.8.1 container_name: harbor-core env_file: - ./common/config/core/env restart: always cap_drop: - ALL cap_add: - SETGID - SETUID volumes: - /data/harbor/ca_download/:/etc/core/ca/:z - /data/harbor/psc/:/etc/core/token/:z - /data/harbor/:/data/:z - ./common/config/core/certificates/:/etc/core/certificates/:z - type: bind source: ./common/config/core/app.conf target: /etc/core/app.conf - type: bind source: /data/harbor/secret/core/private_key.pem target: /etc/core/private_key.pem - type: bind source: /data/harbor/secret/keys/secretkey target: /etc/core/key networks: harbor: dns_search: . depends_on: - log - registry logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "core" portal: image: goharbor/harbor-portal:v1.8.1 container_name: harbor-portal restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE networks: - harbor dns_search: . depends_on: - log - core logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "portal" jobservice: image: goharbor/harbor-jobservice:v1.8.1 container_name: harbor-jobservice env_file: - ./common/config/jobservice/env restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/harbor/job_logs:/var/log/jobs:z - type: bind source: ./common/config/jobservice/config.yml target: /etc/jobservice/config.yml networks: - harbor dns_search: . depends_on: - redis - core logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "jobservice" redis: image: goharbor/redis-photon:v1.8.1 container_name: redis restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - /data/harbor/redis:/var/lib/redis networks: harbor: dns_search: . depends_on: - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "redis" proxy: image: goharbor/nginx-photon:v1.8.1 container_name: nginx restart: always cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID - NET_BIND_SERVICE volumes: - ./common/config/nginx:/etc/nginx:z networks: - harbor dns_search: . ports: - 443:443 depends_on: - postgresql - registry - core - portal - log logging: driver: "syslog" options: syslog-address: "tcp://127.0.0.1:1514" tag: "proxy" networks: harbor: external: false
2.修改nginx的配置
# 通过 docker inspect nginx,可以看到修改下面文件即可
/usr/local/harbor-v1.8.1/common/config/nginx/nginx.conf
# 主要是修改如下部分,添加server_name 和 ssl的配置
# 证书放在 /usr/local/harbor/common/config/nginx/cert 目录下即可
#listen 80; listen 443 ssl; server_name harbor.chinasoft.com; server_tokens off; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; ssl_certificate /etc/nginx/cert/chinasoft_com.crt; ssl_certificate_key /etc/nginx/cert/chinasoft_com.key; ssl_dhparam /etc/nginx/cert/dh_2048.pem; ssl_session_timeout 15m; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
# nginx的详细配置
# cat /usr/local/harbor/common/config/nginx/nginx.conf
worker_processes auto; events { worker_connections 1024; use epoll; multi_accept on; } http { tcp_nodelay on; # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; upstream core { server core:8080; } upstream portal { server portal:80; } log_format timed_combined '$remote_addr - ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time $pipe'; access_log /dev/stdout timed_combined; server { #listen 80; listen 443 ssl; server_name harbor.chinasoft.com; server_tokens off; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; ssl_certificate /etc/nginx/cert/chinasoft_com.crt; ssl_certificate_key /etc/nginx/cert/chinasoft_com.key; ssl_dhparam /etc/nginx/cert/dh_2048.pem; ssl_session_timeout 15m; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; # costumized location config file can place to /etc/nginx/etc with prefix harbor.http. and suffix .conf include /etc/nginx/conf.d/harbor.http.*.conf; location / { proxy_pass http://portal/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /c/ { proxy_pass http://core/c/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /api/ { proxy_pass http://core/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /chartrepo/ { proxy_pass http://core/chartrepo/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /v1/ { return 404; } location /v2/ { proxy_pass http://core/v2/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /service/ { proxy_pass http://core/service/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings. proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_request_buffering off; } location /service/notifications { return 404; } } }
3.还需要修改关于registry的配置,否则会报错
如果只是启用http,就没必要修改该部分配置了
主要是修改这里的配置,默认走http 80端口,需要改成 https
realm: https://harbor.chinasoft.com/service/token
# 如果不修改 registry 配置,报错如下:
# docker login harbor.chinasoft.com Username: admin Password: Error response from daemon: Get https://harbor.chinasoft.com/v2/: Get http://harbor.chinasoft.com/service/token?account=admin&client_id=docker&offline_token=true&service=harbor-registry: dial tcp 1.1.1.2:80: connect: connection refused
# cat /usr/local/harbor-v1.8.1/common/config/registry/config.yml
version: 0.1 log: level: info fields: service: registry storage: cache: layerinfo: redis filesystem: rootdirectory: /storage maintenance: uploadpurging: enabled: false delete: enabled: true redis: addr: redis:6379 password: db: 1 http: addr: :5000 secret: placeholder debug: addr: localhost:5001 auth: token: issuer: harbor-token-issuer realm: https://harbor.chinasoft.com/service/token rootcertbundle: /etc/registry/root.crt service: harbor-registry validation: disabled: true notifications: endpoints: - name: harbor disabled: false url: http://core:8080/service/notifications timeout: 3000ms threshold: 5 backoff: 1s compatibility: schema1: enabled: true
改完后需要让配置生效:docker-compose -f docker-compose.yml up -d
4.进行docker镜像打包和推送验证
外网绑定hosts:
1.1.1.2 harbor.chinasoft.com
内网绑定hosts:
192.168.254.168 harbor.chinasoft.com
[/data/dockerfile/imooc_marathon]# more app.py
# _*_ coding:utf-8 _*_ # __author__ == 'jack' # __date__ == '2021-06-11' from flask import Flask import os app = Flask(__name__) @app.route('/') def hello(): return "hello world ! hello imooc v1.6, harbor" if __name__ == "__main__": app.run(host="0.0.0.0", debug=True)
[/data/dockerfile/imooc_marathon]# more requirements.txt
flask
requests
[/data/dockerfile/imooc_marathon]# more Dockerfile
FROM python:2.7 ADD . /code WORKDIR /code RUN pip install -r requirements.txt CMD ["python", "app.py"]
# 打包及推送测试
docker build -t harbor.chinasoft.com/public/imooc_marathon:v1.8 . docker push harbor.chinasoft.com/public/imooc_marathon:v1.8
同理,如果修改对外的端口为 http的其他端口 比如 1800,也需要修改 nginx,register,docker-compose.yml 配置
register: realm: http://harbor.chinasoft.com:1800/service/token
nginx: listen 1800;
#listen 443 ssl;
server_name harbor.chinasoft.com;
docker-compose.yml
ports:
#- 443:443
- 1800:1800
重启nginx,register让配置生效
docker restart nginx
docker restart registry
docker restart registryctl
# 退出之前的登录,重新登录 1800
docker logout harbor.chinasoft.com
docker login harbor.chinasoft.com:1800
# 再次编译推送
docker build -t harbor.chinasoft.com:1800/public/imooc_marathon:v1.68 .
docker push harbor.chinasoft.com:1800/public/imooc_marathon:v1.68
