Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http2 enabled and ciphers changed to get an A+ rating instead of B fr… #16990

Merged
2 changes: 2 additions & 0 deletions make/harbor.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ https:
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
Expand Down
5 changes: 4 additions & 1 deletion make/photon/prepare/templates/portal/nginx.conf.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,12 @@ http {
ssl_certificate /etc/harbor/tls/portal.crt;
ssl_certificate_key /etc/harbor/tls/portal.key;

# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
{% if internal_tls.strong_ssl_ciphers %}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{% else %}
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
{% endif %}
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
{% else %}
Expand Down