From 4f3393e615c44cb64336c94963897a78b3080a3d Mon Sep 17 00:00:00 2001 From: Stephan Hohn Date: Mon, 29 May 2023 04:37:57 +0200 Subject: [PATCH] =?UTF-8?q?http2=20enabled=20and=20ciphers=20changed=20to?= =?UTF-8?q?=20get=20an=20A+=20rating=20instead=20of=20B=20fr=E2=80=A6=20(#?= =?UTF-8?q?16990)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Make strong cipher cfg optional Signed-off-by: Stephan Hohn --------- Signed-off-by: Stephan Hohn Signed-off-by: MinerYang Co-authored-by: Stephan Hohn Co-authored-by: Wang Yan Co-authored-by: MinerYang --- make/harbor.yml.tmpl | 2 ++ make/photon/prepare/templates/portal/nginx.conf.jinja | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index 6ddc1f73d..4ed087eb1 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -23,6 +23,8 @@ https: # enabled: true # # put your cert and key files on dir # dir: /etc/harbor/tls/internal +# # enable strong ssl ciphers (default: false) +# strong_ssl_ciphers: false # Uncomment external_url if you want to enable external proxy # And when it enabled the hostname will no longer used diff --git a/make/photon/prepare/templates/portal/nginx.conf.jinja b/make/photon/prepare/templates/portal/nginx.conf.jinja index 7f250a315..89dc14bc8 100644 --- a/make/photon/prepare/templates/portal/nginx.conf.jinja +++ b/make/photon/prepare/templates/portal/nginx.conf.jinja @@ -21,9 +21,12 @@ http { ssl_certificate /etc/harbor/tls/portal.crt; ssl_certificate_key /etc/harbor/tls/portal.key; - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.2 TLSv1.3; + {% if internal_tls.strong_ssl_ciphers %} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {% else %} ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {% endif %} ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; {% else %}