Configuring Harbor with HTTPS Access
Because Harbor does not ship with any certificates, it uses HTTP by default to serve registry requests. However, it is highly recommended that security be enabled for any production environment. Harbor has an Nginx instance as a reverse proxy for all services, you can use the prepare script to configure Nginx to enable https.
In a test or development environment, you may choose to use a self-signed certificate instead of the one from a trusted third-party CA. The followings will show you how to create your own CA, and use your CA to sign a server certificate and a client certificate.
Getting Certificate Authority
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
Getting Server Certificate
Assuming that your registry's hostname is yourdomain.com, and that its DNS record points to the host where you are running Harbor. In production environment, you first should get a certificate from a CA. In a test or development environment, you can use your own CA. The certificate usually contains a .crt file and a .key file, for example, yourdomain.com.crt and yourdomain.com.key.
1) Create your own Private Key:
openssl genrsa -out yourdomain.com.key 4096
2) Generate a Certificate Signing Request:
If you use FQDN like yourdomain.com to connect your registry host, then you must use yourdomain.com as CN (Common Name).
openssl req -sha512 -new \
-subj "/C=TW/ST=Taipei/L=Taipei/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
3) Generate the certificate of your registry host:
Whether you're using FQDN like yourdomain.com or IP to connect your registry host, run this command to generate the certificate of your registry host which comply with Subject Alternative Name (SAN) and x509 v3 extension requirement:
v3.ext
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
Configuration and Installation
1) Configure Server Certificate and Key for Harbor
After obtaining the yourdomain.com.crt and yourdomain.com.key files, you can put them into directory such as /root/cert/
:
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
2) Configure Server Certificate, Key and CA for Docker
The Docker daemon interprets .crt
files as CA certificates and .cert
files as client certificates.
Convert server yourdomain.com.crt
to yourdomain.com.cert
:
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
Delpoy yourdomain.com.cert
, yourdomain.com.key
, and ca.crt
for Docker:
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
The following illustrates a configuration with custom certificates:
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
Notice that you may need to trust the certificate at OS level. Please refer to the Troubleshooting section below.
3) Configure Harbor
Edit the file harbor.cfg
, update the hostname and the protocol, and update the attributes ssl_cert
and ssl_cert_key
:
#set hostname
hostname = yourdomain.com:port
#set ui_url_protocol
ui_url_protocol = https
......
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/yourdomain.com.crt
ssl_cert_key = /data/cert/yourdomain.com.key
Generate configuration files for Harbor:
./prepare
If Harbor is already running, stop and remove the existing instance. Your image data remain in the file system
docker-compose down -v
Finally, restart Harbor:
docker-compose up -d
After setting up HTTPS for Harbor, you can verify it by the following steps:
-
Open a browser and enter the address: https://yourdomain.com. It should display the user interface of Harbor.
-
Notice that some browser may still shows the warning regarding Certificate Authority (CA) unknown for security reason even though we signed certificates by self-signed CA and deploy the CA to the place mentioned above. It is because self-signed CA essentially is not a trusted third-party CA. You can import the CA to the browser on your own to solve the warning.
-
On a machine with Docker daemon, make sure the option "-insecure-registry" for https://yourdomain.com does not present.
-
If you mapped nginx port 443 to another port, then you should instead create the directory
/etc/docker/certs.d/yourdomain.com:port
(or your registry host IP:port). Then run any docker command to verify the setup, e.g.
docker login yourdomain.com
If you've mapped nginx 443 port to another, you need to add the port to login, like below:
docker login yourdomain.com:port
##Troubleshooting
-
You may get an intermediate certificate from a certificate issuer. In this case, you should merge the intermediate certificate with your own certificate to create a certificate bundle. You can achieve this by the below command:
cat intermediate-certificate.pem >> yourdomain.com.crt
-
On some systems where docker daemon runs, you may need to trust the certificate at OS level.
On Ubuntu, this can be done by below commands:cp yourdomain.com.crt /usr/local/share/ca-certificates/yourdomain.com.crt update-ca-certificates
On Red Hat (CentOS etc), the commands are:
cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt update-ca-trust
相關文章
- Nginx Configuring HTTPS serversNginxHTTPServer
- Harbor設定https訪問HTTP
- linux-部署harbor的https認證LinuxHTTP
- Harbor 搭建
- Harbor部署
- 解決angular安裝 unable to access 'https:github...' Empty reply from serverAngularHTTPGithubServer
- harbor安裝
- Harbor 學習分享系列2 – Harbor專案介紹
- docker安裝harborDocker
- harbor 搭建及使用
- Ubuntu 22.04 LTS 離線安裝 Harbor v2.11 (附https認證,Trivy映象掃描)UbuntuHTTP
- 搭建Harbor 映象倉庫
- Harbor資料遷移
- Linux Watchdog Daemon - ConfiguringLinux
- Configuring MySQL to use UTF-8MySql
- Configuring JBuilder 8 to work with Struts 1.1UI
- linux搭建harbor與使用Linux
- CentOS部署Harbor映象倉庫CentOS
- Harbor倉庫搭建及使用
- Docker搭建Harbor私有倉庫Docker
- Harbor 企業級 Docker RegistryDocker
- harbor+k8s deployK8S
- ubuntu搭建docker harbor實錄UbuntuDocker
- AnolisOS7.9安裝Harbor
- Configuring the launch of the remote virtual machine to debugREMMac
- unable to access ‘https://gitee.com/XXX/XXX.git/‘: Failed to connect to 127.0.0.1 portHTTPGiteeAI127.0.0.1
- Harbor倉庫映象掃描原理
- 搭建自己的harbor(docker託管)Docker
- Docker私有倉庫之Harbor神器Docker
- k8s-harbor安裝K8S
- harbor安裝實操筆記筆記
- harbor私有映象安裝和使用
- JAVA使用accessJava
- access()函式函式
- Httplistener Access DeniedHTTP
- AP(Access Pointer)
- ORA-07274: spdcr: access error, access to oracle denied.ErrorOracle
- Cannot Access Pls Pages: 'mod_security: Access denied with code 400'