{{- if and (eq .Values.exposureType "proxy") .Values.nginx.tls.enabled }} {{- $scheme := ternary "https" "http" .Values.internalTLS.enabled -}} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "harbor.nginx" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} app.kubernetes.io/component: nginx {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: nginx.conf: |+ worker_processes auto; pid /opt/bitnami/nginx/tmp/nginx.pid; events { worker_connections 3096; use epoll; multi_accept on; } http { client_body_temp_path "/opt/bitnami/nginx/tmp/client_body" 1 2; proxy_temp_path "/opt/bitnami/nginx/tmp/proxy" 1 2; fastcgi_temp_path "/opt/bitnami/nginx/tmp/fastcgi" 1 2; scgi_temp_path "/opt/bitnami/nginx/tmp/scgi" 1 2; uwsgi_temp_path "/opt/bitnami/nginx/tmp/uwsgi" 1 2; tcp_nodelay on; # this is necessary for us to be able to disable request buffering in all cases proxy_http_version 1.1; upstream core { server {{ printf "%s:%d" (include "harbor.core" .) (ternary .Values.core.service.ports.https .Values.core.service.ports.http .Values.internalTLS.enabled | int) }}; } upstream portal { server {{ printf "%s:%d" (include "harbor.portal" .) (ternary .Values.portal.service.ports.https .Values.portal.service.ports.http .Values.internalTLS.enabled | int) }}; } {{- if .Values.notary.enabled }} upstream notary-server { server {{ printf "%s:%d" (include "harbor.notary-server" .) (.Values.notary.service.ports.server | int) }}; } {{- end }} log_format timed_combined '[$time_local]:$remote_addr - ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time $pipe'; access_log /dev/stdout timed_combined; {{- if .Values.notary.enabled }} server { {{- if .Values.ipFamily.ipv4.enabled }} listen {{ .Values.nginx.containerPorts.notary }} ssl; {{- end }} {{- if .Values.ipFamily.ipv6.enabled }} listen [::]:{{ .Values.nginx.containerPorts.notary }} ssl; {{- end }} server_tokens off; # ssl ssl_certificate /etc/nginx/cert/tls.crt; ssl_certificate_key /etc/nginx/cert/tls.key; # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html ssl_protocols tlsv1.1 tlsv1.2; ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; ssl_prefer_server_ciphers on; ssl_session_cache shared:ssl:10m; # disable any limits to avoid http 413 for large image uploads client_max_body_size 0; # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; location /v2/ { proxy_pass http://notary-server/v2/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_buffering off; proxy_request_buffering off; } } {{- end }} server { {{- if .Values.ipFamily.ipv4.enabled }} listen {{ .Values.nginx.containerPorts.https }} ssl; {{- end }} {{- if .Values.ipFamily.ipv6.enabled }} listen [::]:{{ .Values.nginx.containerPorts.https }} ssl; {{- end }} server_tokens off; # SSL ssl_certificate /etc/nginx/cert/tls.crt; ssl_certificate_key /etc/nginx/cert/tls.key; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # disable any limits to avoid HTTP 413 for large image uploads client_max_body_size 0; # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; # Add extra headers add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header Content-Security-Policy "frame-ancestors 'none'"; location / { proxy_pass {{ $scheme }}://portal/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} # Add Secure flag when serving HTTPS proxy_cookie_path / "/; HttpOnly; Secure"; proxy_buffering off; proxy_request_buffering off; } location /devcenter-api-2.0 { try_files $uri $uri/ /swagger-ui-index.html; } location /api/ { proxy_pass {{ $scheme }}://core/api/; {{- if and .Values.internalTLS.enabled }} proxy_ssl_verify off; proxy_ssl_session_reuse on; {{- end }} proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /chartrepo/ { proxy_pass {{ $scheme }}://core/chartrepo/; {{- if and .Values.internalTLS.enabled }} proxy_ssl_verify off; proxy_ssl_session_reuse on; {{- end }} proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /c/ { proxy_pass {{ $scheme }}://core/c/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /v1/ { return 404; } location /v2/ { proxy_pass {{ $scheme }}://core/v2/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_buffering off; proxy_request_buffering off; } location /service/ { proxy_pass {{ $scheme }}://core/service/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; {{- if not .Values.nginx.behindReverseProxy }} proxy_set_header X-Forwarded-Proto $scheme; {{- end }} proxy_cookie_path / "/; Secure"; proxy_buffering off; proxy_request_buffering off; } location /service/notifications { return 404; } } server { {{- if .Values.ipFamily.ipv4.enabled }} listen 8080; {{- end }} {{- if .Values.ipFamily.ipv6.enabled }} listen [::]:8080; {{- end }} return 301 https://$host$request_uri; } } {{- end }}