http2 enabled and ciphers changed to get an A+ rating instead of B fr… (

#16990) * Make strong cipher cfg optional Signed-off-by: Stephan Hohn <stephan.hohn@tech11.com> --------- Signed-off-by: Stephan Hohn <stephan.hohn@tech11.com> Signed-off-by: MinerYang <yminer@vmware.com> Co-authored-by: Stephan Hohn <stephan.hohn@tech11.com> Co-authored-by: Wang Yan <wangyan@vmware.com> Co-authored-by: MinerYang <yminer@vmware.com>
goharbor · May 29, 2023 · 4f3393e · 4f3393e
1 parent 11d6bb4
commit 4f3393e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl
@@ -23,6 +23,8 @@ https:
 #   enabled: true
 #   # put your cert and key files on dir
 #   dir: /etc/harbor/tls/internal
+#   # enable strong ssl ciphers (default: false)
+#   strong_ssl_ciphers: false
 
 # Uncomment external_url if you want to enable external proxy
 # And when it enabled the hostname will no longer used

diff --git a/make/photon/prepare/templates/portal/nginx.conf.jinja b/make/photon/prepare/templates/portal/nginx.conf.jinja
@@ -21,9 +21,12 @@ http {
         ssl_certificate /etc/harbor/tls/portal.crt;
         ssl_certificate_key /etc/harbor/tls/portal.key;
 
-        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
         ssl_protocols TLSv1.2 TLSv1.3;
+    {% if internal_tls.strong_ssl_ciphers %}
+        ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128;
+    {% else %}
         ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
+    {% endif %}
         ssl_prefer_server_ciphers on;
         ssl_session_cache shared:SSL:10m;
 {% else %}