upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor synced 2025-04-06 20:24:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

add a 4443 ssl server to nginx config

Browse Source
This commit is contained in:
Tan Jiang 2017-03-24 13:16:48 +08:00
parent 6b55bf488a
commit 90bc280ea1
6 changed files with 40 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/use_notary.md
View File

@ -10,14 +10,13 @@ It can be done via setting envrironment variables:
``` ```
export DOCKER_CONTENT_TRUST=1 export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5/notary export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443/
``` ```
### Set alias for notary (optional) ### Set alias for notary (optional)
Because by default the local directory for storing meta files for notary client is different from docker client. If you want to use notary client to manipulate the keys/meta files generated by Docker Content Trust, please set the alias to reduce the effort: Because by default the local directory for storing meta files for notary client is different from docker client. If you want to use notary client to manipulate the keys/meta files generated by Docker Content Trust, please set the alias to reduce the effort:
``` ```
alias notary="notary -s https//192.168.0.5 -d ~/.docker/trust --tlscacert / alias notary="notary -s https//192.168.0.5:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/192.168.0.5/ca.crt"
etc/docker/certs.d/192.168.0.5/ca.crt"
``` ```

5
make/common/templates/nginx/nginx.https.conf
View File

@ -20,7 +20,8 @@ http {
upstream ui { upstream ui {
server ui:80; server ui:80;
} }
include /etc/nginx/conf.d/*.server.conf;
server { server {
listen 443 ssl; listen 443 ssl;
@ -42,8 +43,6 @@ http {
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on; chunked_transfer_encoding on;
include /etc/nginx/conf.d/*.location.conf;
location / { location / {
proxy_pass http://ui/; proxy_pass http://ui/;
proxy_set_header Host $$http_host; proxy_set_header Host $$http_host;

12
make/common/templates/nginx/notary.location.conf
View File

@ -1,12 +0,0 @@
location /notary/v2/ {
proxy_pass http://notary-server/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}

33
make/common/templates/nginx/notary.server.conf Normal file
View File

@ -0,0 +1,33 @@
server {
listen 4443 ssl;
# ssl
ssl_certificate /etc/nginx/cert/server.crt;
ssl_certificate_key /etc/nginx/cert/server.key;
# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
ssl_protocols tlsv1.1 tlsv1.2;
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl:10m;
# disable any limits to avoid http 413 for large image uploads
client_max_body_size 0;
# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
location /v2/ {
proxy_pass http://notary-server/v2/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
}
}

2
make/prepare
View File

@ -350,7 +350,7 @@ if args.notary_mode:
print("Copying nginx configuration file for notary") print("Copying nginx configuration file for notary")
shutil.copy2(os.path.join(templates_dir, "nginx", "notary.upstream.conf"), nginx_conf_d) shutil.copy2(os.path.join(templates_dir, "nginx", "notary.upstream.conf"), nginx_conf_d)
shutil.copy2(os.path.join(templates_dir, "nginx", "notary.location.conf"), nginx_conf_d) shutil.copy2(os.path.join(templates_dir, "nginx", "notary.server.conf"), nginx_conf_d)
default_alias = ''.join(random.choice(string.ascii_letters) for i in range(8)) default_alias = ''.join(random.choice(string.ascii_letters) for i in range(8))
render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias) render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias)

4
tests/notarytest.sh
View File

@ -4,7 +4,7 @@ set -e
TIMEOUT=10 TIMEOUT=10
while [ $TIMEOUT -gt 0 ]; do while [ $TIMEOUT -gt 0 ]; do
STATUS=$(curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1/notary/v2/ -kv) STATUS=$(curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:4443/v2/ -kv)
if [ $STATUS -eq 401 ]; then if [ $STATUS -eq 401 ]; then
echo "Notary is running success." echo "Notary is running success."
break break
@ -16,4 +16,4 @@ done
if [ $TIMEOUT -eq 0 ]; then if [ $TIMEOUT -eq 0 ]; then
echo "Notary is running fail." echo "Notary is running fail."
exit 1 exit 1
fi fi