Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose ssl_protocols in harbor.yml to allow users to run harbor with only TLSv1.3 enabled #20627

Open
malmor opened this issue Jun 19, 2024 · 0 comments · May be fixed by #20637
Open

Expose ssl_protocols in harbor.yml to allow users to run harbor with only TLSv1.3 enabled #20627

malmor opened this issue Jun 19, 2024 · 0 comments · May be fixed by #20637
Labels
kind/requirement New feature or idea on top of harbor

Comments

@malmor
Copy link
Contributor

malmor commented Jun 19, 2024

Is your feature request related to a problem? Please describe.
We would like to run harbor with only TLSv1.3 enabled for inbound traffic to increase security in our infrastructure.

Describe the solution you'd like
By default harbor allows TLSv1.2 and TLSv1.3 for inbound traffic in its nginx configuration:

harbor/make/photon/prepare/templates/nginx/nginx.https.conf.jinja

Lines 65 to 72 in 02b3561

# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
{% if strong_ssl_ciphers %}
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
{% else %}
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
{% endif %}
ssl_prefer_server_ciphers on;

One can restrict the used ciphers by setting https.strong_ssl_ciphers but not the the protocols.

Describe the main design/architecture of your solution
A new configuration option in the harbor.yml.tmpl would be needed allowing users to decide which protocols to enable - defaulting to the current versions (TLSv1.2 and TLSv1.3). This flag would probably need to work together with strong_ssl_ciphers because the ciphers can not be used in combination with TLSv1.3 (this is an assumption, needs to be confirmed).

Describe the development plan you've considered
I can create a pull request that adds this configuration option.
@malmor malmor linked a pull request Jun 20, 2024 that will close this issue
Open
5 tasks
@MinerYang MinerYang added the kind/requirement New feature or idea on top of harbor label Jun 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/requirement New feature or idea on top of harbor
2 participants
@MinerYang @malmor