Generate CA certificate, and trust ca can be obtained from Taobao Gworg.
Modify the Harbor.cfg file and create a registry service.
Configure clients to use CA certificates.
There is no need to modify the Nginx certificate in the original harbor document. When you run prepare, the configuration file of Nginx will be automatically created, just check whether it is correct.
Here is a quick guide to the configuration of HTTPS port. Please refer to:
1. Generate CA certificate
Suppose the IP address of the registration server is:192.168.1.8. This paper mainly introduces the method of generating certificate through IP address.
1. 1. Establish a CA certificate issuing site.
OpenSSL req-new key RSA:4096-nodes-sha 256-keyut ca . key-x509-days 365-out ca . CRT
1.2. Create a CA certificate generation request.
OpenSSL req-new key RSA:4096-nodes-sha 256-key out 192. 168. 1.8 . key-out 192. 168. 1.8 . CSR
1.3. Create the CA site file directory.
DemoCA is the certificate storage dependent directory of OpenSSL, which is built in the same directory as the above ca.crt
mkdir demoCA
cd demoCA
Touch index.txt
echo ' 0 1 ' & gt; uninterrupted
laser record ..
Complete directory structure:
.
..
ca.crt
ca.key
Demoka
...
1.4. Generate CA client certificate.
echo subject altname = IP: 192. 168. 1.8 & gt; extfile.cnf
OpenSSL ca-in 192. 168. 1.8 . CSR-out 192. 168. 1.8 . CRT-cert ca . CRT-keyfile ca . key \
-extfile extfile.cnf -outdir。
Step 2 download and install
The runtime of Harbor consists of several Docker containers, including six main components: Nginx, MySQL, UI, proxy, log and JobService. You can build and install from the source code, or download *. Tgz installation package for installation.
2. 1. Install from source code
git clone /vmware/harbor.git
After downloading the source code, modify. /make/harbor.cfg, and then run make.
2.2. Download the installation package
Download the pre-built installation package from /vmware/harbor/releases, then unzip it into the directory and modify it. /make/harbor.cfg and run install.sh
2.3.harbor.cfg modification
Mainly modify the following places:
# Configure the host IP address or host name of the Harbor service, which is exactly the same as the CA certificate.
# Hostname = reg.mydomain.com
Host name =192.168.1.8
# Configure port usage (IP of registered server). For example:
# get the ca.crt file. If the directory does not exist, you need to create it manually in advance.
Sudo scp user @192.168.1.8: ~/docker/ca.crt/etc/docker/certs.d/192.168./kloc.
note:
Each client needs to copy the above ca.crt to the directory corresponding to Docker, and then restart Docker.
The browser needs to add an "access exception" and follow the prompts.
If the Harbor deployment server changes, even if the IP address remains the same, you need to clear and update the browser on the access side and the certificate in the /etc/Docker/certs.d directory, and then restart Docker. Otherwise, for the same certificate, because the content after regeneration is different, it will be considered as fraud and access will be denied.
If nginx port 443 is set as another port, you need to create the directory/etc/docker/certs.d/yourdomain.com: port (registry IP: port) and add the port number, such as:192.168.1.8: 444.
Linux and MacOS systems need system-level trust to obtain certificates. You can refer to: adding a trusted root certificate to the server (/Linux/2600 1.html).
Ubuntu system uses the following methods:
CP 192. 168. 1.8 . CRT/usr/local/share/ca-certificates/ 192. 168. 1.8 . CRT
Update -ca- certificate
MacOS uses the following methods:
sudo security add-trusted-cert-d-r trust root-k/Library/Keychains/system . keychain
/root/docker/ 192. 168. 1.8 . CRT
You can also go to the browser to manage and set up CA certificates. For the self-signed root certificate, you can choose the ca.crt file to import directly. Then restart the Docker service.
Step 4 use the port
In use /linux/25578.html
According to my own test, the above method can run on Docker 1. 12.3 and Ubuntu 16.04, and run raspberry PI on MacOS Sierra and ARM.