From 07744402d89cab98603b68f122867a09fd298869 Mon Sep 17 00:00:00 2001
From: Tan Jiang <jiangd@vmware.com>
Date: Fri, 14 Oct 2016 17:13:15 +0800
Subject: [PATCH 1/2] prepare support configuring https
---
.gitignore | 2 +
Deploy/harbor.cfg | 6 ++
Deploy/prepare | 46 ++++++++++--
Deploy/templates/nginx/nginx.http.conf | 75 +++++++++++++++++++
.../nginx/nginx.https.conf | 34 ++++-----
5 files changed, 140 insertions(+), 23 deletions(-)
create mode 100644 Deploy/templates/nginx/nginx.http.conf
rename Deploy/{config => templates}/nginx/nginx.https.conf (67%)
diff --git a/.gitignore b/.gitignore
index 07315ad3f..13f454021 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@ Deploy/config/ui/env
Deploy/config/ui/app.conf
Deploy/config/db/env
Deploy/config/jobservice/env
+Deploy/config/nginx/nginx.conf
+Deploy/config/nginx/cert/*
Deploy/ui/harbor_ui
Deploy/jobservice/harbor_jobservice
ui/ui
diff --git a/Deploy/harbor.cfg b/Deploy/harbor.cfg
index 0726fbe73..df7c05485 100644
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@@ -84,4 +84,10 @@ crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com
+
+
+#The path of cert and key files for nginx, they are applied only the protocol is set to https
+ssl_cert = /path/to/server.crt
+ssl_cert_key = /path/to/server.key
+#############
#####
diff --git a/Deploy/prepare b/Deploy/prepare
index 35c4d9f03..ab22bf4a0 100755
--- a/Deploy/prepare
+++ b/Deploy/prepare
@@ -8,6 +8,7 @@ import os
import sys
import argparse
import subprocess
+import shutil
from io import open
if sys.version_info[:3][0] == 2:
@@ -21,6 +22,19 @@ if sys.version_info[:3][0] == 3:
def validate(conf):
if len(conf.get("configuration", "secret_key")) != 16:
raise Exception("Error: The length of secret key has to be 16 characters!")
+ protocol = rcp.get("configuration", "ui_url_protocol")
+ if protocol == "https":
+ if not rcp.has_option("configuration", "ssl_cert"):
+ raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
+ cert_path = rcp.get("configuration", "ssl_cert")
+ if not os.path.isfile(cert_path):
+ raise Exception("Error: The path for certificate: %s is invalid" % cert_path)
+ if not rcp.has_option("configuration", "ssl_cert_key"):
+ raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
+ cert_key_path = rcp.get("configuration", "ssl_cert_key")
+ if not os.path.isfile(cert_key_path):
+ raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path)
+
parser = argparse.ArgumentParser()
parser.add_argument('-conf', dest='cfgfile', default = 'harbor.cfg',type=str,help="the path of Harbor configuration file")
@@ -37,7 +51,8 @@ rcp.readfp(conf)
validate(rcp)
hostname = rcp.get("configuration", "hostname")
-ui_url = rcp.get("configuration", "ui_url_protocol") + "://" + hostname
+protocol = rcp.get("configuration", "ui_url_protocol")
+ui_url = protocol + "://" + hostname
email_server = rcp.get("configuration", "email_server")
email_server_port = rcp.get("configuration", "email_server_port")
email_username = rcp.get("configuration", "email_username")
@@ -65,6 +80,9 @@ ldap_scope = rcp.get("configuration", "ldap_scope")
db_password = rcp.get("configuration", "db_password")
self_registration = rcp.get("configuration", "self_registration")
use_compressed_js = rcp.get("configuration", "use_compressed_js")
+if protocol == "https":
+ cert_path = rcp.get("configuration", "ssl_cert")
+ cert_key_path = rcp.get("configuration", "ssl_cert_key")
customize_crt = rcp.get("configuration", "customize_crt")
crt_country = rcp.get("configuration", "crt_country")
crt_state = rcp.get("configuration", "crt_state")
@@ -108,15 +126,31 @@ ui_conf = os.path.join(config_dir, "ui", "app.conf")
registry_conf = os.path.join(config_dir, "registry", "config.yml")
db_conf_env = os.path.join(config_dir, "db", "env")
job_conf_env = os.path.join(config_dir, "jobservice", "env")
-
-conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env ]
+nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
+cert_dir = os.path.join(config_dir, "nginx", "cert")
+conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env, nginx_conf, cert_dir ]
def rmdir(cf):
for f in cf:
- if os.path.exists(f):
- print("Clearing the configuration file: %s" % f)
- os.remove(f)
+ if os.path.isdir(f):
+ rmdir(map(lambda x: os.path.join(f,x), os.listdir(f)))
+ elif os.path.exists(f) and os.path.basename(f) != ".gitignore":
+ print("Clearing the configuration file: %s" % f)
+ os.remove(f)
rmdir(conf_files)
+if protocol == "https":
+ target_cert_path = os.path.join(cert_dir, os.path.basename(cert_path))
+ shutil.copy2(cert_path,target_cert_path)
+ target_cert_key_path = os.path.join(cert_dir, os.path.basename(cert_key_path))
+ shutil.copy2(cert_key_path,target_cert_key_path)
+ render(os.path.join(templates_dir, "nginx", "nginx.https.conf"),
+ nginx_conf,
+ ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
+ ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
+else:
+ render(os.path.join(templates_dir, "nginx", "nginx.http.conf"),
+ nginx_conf)
+
render(os.path.join(templates_dir, "ui", "env"),
ui_conf_env,
hostname=hostname,
diff --git a/Deploy/templates/nginx/nginx.http.conf b/Deploy/templates/nginx/nginx.http.conf
new file mode 100644
index 000000000..5972af5a7
--- /dev/null
+++ b/Deploy/templates/nginx/nginx.http.conf
@@ -0,0 +1,75 @@
+worker_processes auto;
+
+events {
+ worker_connections 1024;
+ use epoll;
+ multi_accept on;
+}
+
+http {
+ tcp_nodelay on;
+
+ # this is necessary for us to be able to disable request buffering in all cases
+ proxy_http_version 1.1;
+
+
+ upstream registry {
+ server registry:5000;
+ }
+
+ upstream ui {
+ server ui:80;
+ }
+
+
+ server {
+ listen 80;
+
+ # disable any limits to avoid HTTP 413 for large image uploads
+ client_max_body_size 0;
+
+ location / {
+ proxy_pass http://ui/;
+ proxy_set_header Host $$host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+ }
+
+ location /v1/ {
+ return 404;
+ }
+
+ location /v2/ {
+ proxy_pass http://registry/v2/;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$$$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+
+ }
+
+ location /service/ {
+ proxy_pass http://ui/service/;
+ proxy_set_header Host $$host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+ }
+ }
+}
diff --git a/Deploy/config/nginx/nginx.https.conf b/Deploy/templates/nginx/nginx.https.conf
similarity index 67%
rename from Deploy/config/nginx/nginx.https.conf
rename to Deploy/templates/nginx/nginx.https.conf
index 239c44c65..4f527ec87 100644
--- a/Deploy/config/nginx/nginx.https.conf
+++ b/Deploy/templates/nginx/nginx.https.conf
@@ -24,11 +24,11 @@ http {
server {
listen 443 ssl;
- server_name harbordomain.com;
+# server_name harbordomain.com;
# SSL
- ssl_certificate /etc/nginx/cert/harbordomain.crt;
- ssl_certificate_key /etc/nginx/cert/harbordomain.key;
+ ssl_certificate $ssl_cert;
+ ssl_certificate_key $ssl_cert_key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
@@ -44,12 +44,12 @@ http {
location / {
proxy_pass http://ui/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -61,12 +61,12 @@ http {
location /v2/ {
proxy_pass http://registry/v2/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -75,12 +75,12 @@ http {
location /service/ {
proxy_pass http://ui/service/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -88,7 +88,7 @@ http {
}
server {
listen 80;
- server_name harbordomain.com;
- rewrite ^/(.*) https://$server_name:443/$1 permanent;
+ #server_name harbordomain.com;
+ return 301 https://$$host$$request_uri;
}
}
From 86daa51c1e0d281528ade33849421da57b733717 Mon Sep 17 00:00:00 2001
From: Tan Jiang <jiangd@vmware.com>
Date: Fri, 14 Oct 2016 17:13:15 +0800
Subject: [PATCH 2/2] prepare support configuring https
---
.gitignore | 2 +
Deploy/harbor.cfg | 6 ++
Deploy/prepare | 46 ++++++++++--
Deploy/templates/nginx/nginx.http.conf | 75 +++++++++++++++++++
.../nginx/nginx.https.conf | 34 ++++-----
5 files changed, 140 insertions(+), 23 deletions(-)
create mode 100644 Deploy/templates/nginx/nginx.http.conf
rename Deploy/{config => templates}/nginx/nginx.https.conf (67%)
diff --git a/.gitignore b/.gitignore
index 07315ad3f..13f454021 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@ Deploy/config/ui/env
Deploy/config/ui/app.conf
Deploy/config/db/env
Deploy/config/jobservice/env
+Deploy/config/nginx/nginx.conf
+Deploy/config/nginx/cert/*
Deploy/ui/harbor_ui
Deploy/jobservice/harbor_jobservice
ui/ui
diff --git a/Deploy/harbor.cfg b/Deploy/harbor.cfg
index f9f1e9552..2bb5b2c50 100644
--- a/Deploy/harbor.cfg
+++ b/Deploy/harbor.cfg
@@ -86,4 +86,10 @@ crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com
+
+
+#The path of cert and key files for nginx, they are applied only the protocol is set to https
+ssl_cert = /path/to/server.crt
+ssl_cert_key = /path/to/server.key
+#############
#####
diff --git a/Deploy/prepare b/Deploy/prepare
index 35c4d9f03..ab22bf4a0 100755
--- a/Deploy/prepare
+++ b/Deploy/prepare
@@ -8,6 +8,7 @@ import os
import sys
import argparse
import subprocess
+import shutil
from io import open
if sys.version_info[:3][0] == 2:
@@ -21,6 +22,19 @@ if sys.version_info[:3][0] == 3:
def validate(conf):
if len(conf.get("configuration", "secret_key")) != 16:
raise Exception("Error: The length of secret key has to be 16 characters!")
+ protocol = rcp.get("configuration", "ui_url_protocol")
+ if protocol == "https":
+ if not rcp.has_option("configuration", "ssl_cert"):
+ raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
+ cert_path = rcp.get("configuration", "ssl_cert")
+ if not os.path.isfile(cert_path):
+ raise Exception("Error: The path for certificate: %s is invalid" % cert_path)
+ if not rcp.has_option("configuration", "ssl_cert_key"):
+ raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
+ cert_key_path = rcp.get("configuration", "ssl_cert_key")
+ if not os.path.isfile(cert_key_path):
+ raise Exception("Error: The path for certificate key: %s is invalid" % cert_key_path)
+
parser = argparse.ArgumentParser()
parser.add_argument('-conf', dest='cfgfile', default = 'harbor.cfg',type=str,help="the path of Harbor configuration file")
@@ -37,7 +51,8 @@ rcp.readfp(conf)
validate(rcp)
hostname = rcp.get("configuration", "hostname")
-ui_url = rcp.get("configuration", "ui_url_protocol") + "://" + hostname
+protocol = rcp.get("configuration", "ui_url_protocol")
+ui_url = protocol + "://" + hostname
email_server = rcp.get("configuration", "email_server")
email_server_port = rcp.get("configuration", "email_server_port")
email_username = rcp.get("configuration", "email_username")
@@ -65,6 +80,9 @@ ldap_scope = rcp.get("configuration", "ldap_scope")
db_password = rcp.get("configuration", "db_password")
self_registration = rcp.get("configuration", "self_registration")
use_compressed_js = rcp.get("configuration", "use_compressed_js")
+if protocol == "https":
+ cert_path = rcp.get("configuration", "ssl_cert")
+ cert_key_path = rcp.get("configuration", "ssl_cert_key")
customize_crt = rcp.get("configuration", "customize_crt")
crt_country = rcp.get("configuration", "crt_country")
crt_state = rcp.get("configuration", "crt_state")
@@ -108,15 +126,31 @@ ui_conf = os.path.join(config_dir, "ui", "app.conf")
registry_conf = os.path.join(config_dir, "registry", "config.yml")
db_conf_env = os.path.join(config_dir, "db", "env")
job_conf_env = os.path.join(config_dir, "jobservice", "env")
-
-conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env ]
+nginx_conf = os.path.join(config_dir, "nginx", "nginx.conf")
+cert_dir = os.path.join(config_dir, "nginx", "cert")
+conf_files = [ ui_conf, ui_conf_env, registry_conf, db_conf_env, job_conf_env, nginx_conf, cert_dir ]
def rmdir(cf):
for f in cf:
- if os.path.exists(f):
- print("Clearing the configuration file: %s" % f)
- os.remove(f)
+ if os.path.isdir(f):
+ rmdir(map(lambda x: os.path.join(f,x), os.listdir(f)))
+ elif os.path.exists(f) and os.path.basename(f) != ".gitignore":
+ print("Clearing the configuration file: %s" % f)
+ os.remove(f)
rmdir(conf_files)
+if protocol == "https":
+ target_cert_path = os.path.join(cert_dir, os.path.basename(cert_path))
+ shutil.copy2(cert_path,target_cert_path)
+ target_cert_key_path = os.path.join(cert_dir, os.path.basename(cert_key_path))
+ shutil.copy2(cert_key_path,target_cert_key_path)
+ render(os.path.join(templates_dir, "nginx", "nginx.https.conf"),
+ nginx_conf,
+ ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
+ ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
+else:
+ render(os.path.join(templates_dir, "nginx", "nginx.http.conf"),
+ nginx_conf)
+
render(os.path.join(templates_dir, "ui", "env"),
ui_conf_env,
hostname=hostname,
diff --git a/Deploy/templates/nginx/nginx.http.conf b/Deploy/templates/nginx/nginx.http.conf
new file mode 100644
index 000000000..4eec656c3
--- /dev/null
+++ b/Deploy/templates/nginx/nginx.http.conf
@@ -0,0 +1,75 @@
+worker_processes auto;
+
+events {
+ worker_connections 1024;
+ use epoll;
+ multi_accept on;
+}
+
+http {
+ tcp_nodelay on;
+
+ # this is necessary for us to be able to disable request buffering in all cases
+ proxy_http_version 1.1;
+
+
+ upstream registry {
+ server registry:5000;
+ }
+
+ upstream ui {
+ server ui:80;
+ }
+
+
+ server {
+ listen 80;
+
+ # disable any limits to avoid HTTP 413 for large image uploads
+ client_max_body_size 0;
+
+ location / {
+ proxy_pass http://ui/;
+ proxy_set_header Host $$host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+ }
+
+ location /v1/ {
+ return 404;
+ }
+
+ location /v2/ {
+ proxy_pass http://registry/v2/;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+
+ }
+
+ location /service/ {
+ proxy_pass http://ui/service/;
+ proxy_set_header Host $$host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+
+ # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
+ proxy_set_header X-Forwarded-Proto $$scheme;
+
+ proxy_buffering off;
+ proxy_request_buffering off;
+ }
+ }
+}
diff --git a/Deploy/config/nginx/nginx.https.conf b/Deploy/templates/nginx/nginx.https.conf
similarity index 67%
rename from Deploy/config/nginx/nginx.https.conf
rename to Deploy/templates/nginx/nginx.https.conf
index 239c44c65..4f527ec87 100644
--- a/Deploy/config/nginx/nginx.https.conf
+++ b/Deploy/templates/nginx/nginx.https.conf
@@ -24,11 +24,11 @@ http {
server {
listen 443 ssl;
- server_name harbordomain.com;
+# server_name harbordomain.com;
# SSL
- ssl_certificate /etc/nginx/cert/harbordomain.crt;
- ssl_certificate_key /etc/nginx/cert/harbordomain.key;
+ ssl_certificate $ssl_cert;
+ ssl_certificate_key $ssl_cert_key;
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
@@ -44,12 +44,12 @@ http {
location / {
proxy_pass http://ui/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -61,12 +61,12 @@ http {
location /v2/ {
proxy_pass http://registry/v2/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -75,12 +75,12 @@ http {
location /service/ {
proxy_pass http://ui/service/;
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $$http_host;
+ proxy_set_header X-Real-IP $$remote_addr;
+ proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
- proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Proto $$scheme;
proxy_buffering off;
proxy_request_buffering off;
@@ -88,7 +88,7 @@ http {
}
server {
listen 80;
- server_name harbordomain.com;
- rewrite ^/(.*) https://$server_name:443/$1 permanent;
+ #server_name harbordomain.com;
+ return 301 https://$$host$$request_uri;
}
}