harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

feat: expose ssl_protocols from nginx configuration in harbor.yml

Open malmor opened this issue 1 year ago • 4 comments

Thank you for contributing to Harbor!

Comprehensive Summary of your change

This PR adds ssl_protocols as a new configuration option to harbor.yml. This allows users to customize the nginx protocols - by default both TLSv1.2 and TLSv1.3 will be allowed, but one can restrict this to TLSv1.3 only.

There is no need to update the ssl_ciphers based on the configured ssl_protocols because nginx automatically disables unsupported ciphers. I tested the following combinations in a local nginx instance:

  • (Default) Neither ssl_protocols nor strong_ssl_ciphers configured - both protocols and all ciphers will be accepted
  • ssl_protocols unset, strong_ssl_ciphers enabled - both protocols will be accepted, with a restricted list of ciphers
  • ssl_protocols set to TLSv1.3, strong_ssl_ciphers disabled - only TLSv1.3 connections will be accepted
  • ssl_protocols set to TLSv1.3, strong_ssl_ciphers enabled - only TLSv1.3 connections will be accepted

Issue being fixed

Fixes #20627

Please indicate you've done the following:

  • [x] Well Written Title and Summary of the PR
  • [ ] Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
  • [x] Accepted the DCO. Commits without the DCO will delay acceptance.
  • [ ] Made sure tests are passing and test coverage is added if needed.
  • [x] Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

malmor avatar Jun 20 '24 06:06 malmor

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 66.22%. Comparing base (b7b8847) to head (2ee5dc6). :warning: Report is 528 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #20637      +/-   ##
==========================================
- Coverage   67.56%   66.22%   -1.35%     
==========================================
  Files         991     1045      +54     
  Lines      109181   113476    +4295     
  Branches     2719     2845     +126     
==========================================
+ Hits        73768    75149    +1381     
- Misses      31449    34219    +2770     
- Partials     3964     4108     +144
Flag Coverage Δ
unittests 66.22% <ø> (-1.35%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more. see 572 files with indirect coverage changes

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Jun 20 '24 07:06 codecov[bot]

The pipeline failures seem unrelated to the changes, not sure if I can fix them.

malmor avatar Jun 20 '24 18:06 malmor

Hi @malmor ,

We appreciate your contribution and understood your requirements. However we would like to keep the harbor.yml file as simple as possible for most of the offline-installer users. So we'll hold this PR for a while to see if there's more requirements on this config.

As a workaround, you could change the config file manually then 'docker compose up -d' to meet the purpose.

Best, Miner

MinerYang avatar Jun 24 '24 09:06 MinerYang

Hey @MinerYang, thank you for the response - I understand 👍

malmor avatar Jun 24 '24 10:06 malmor