Harbor: bearer realm incorrectly set to http:// when behind a reverse proxy listening on https://
Our in-house cloud team does not currently have http -> https redirection setup for our harbor instance and they wish to do TLS Termination at the load balancer / reverse proxy. The harbor UI is completely accessible, but we cannot login to harbor because it sets the bearer realm to use http. We tried setting ui_url_protocol to https which had no effect on calls to docker login.
In this configuration, my docker client tries to send my credentials insecurely over http:// even though our instance is accessible through our load balancer / reverse proxy on https://.
Please provide an option to let harbor know it's behind a reverse proxy using the HTTPS scheme.
nlowe
All 10 comments
Did you re-run prepare after setting the ui_url_protocol to https?
reasonerjt
on 5 Jan 2018
My support contact who was configuring the instance claimed they did but I will verify tomorrow morning that it was re-run.
nlowe
on 5 Jan 2018
the key is to check config/registry/config.yml when you update harbor.cfg and re-run prepare this file will be updated. after that if you restart harbor with docker-compose down and docker-compose up the new configuration will be applied to the container.
reasonerjt
on 5 Jan 2018
It looks like the prepare script was not run when ui_url_protocol was changed. I tried to do this in a test environment but it appears when this setting is set to https harbor wants certificates to be provided:
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/app.conf
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/adminserver/env
Traceback (most recent call last):
File "./prepare", line 110, in <module>
validate(rcp, args)
File "./prepare", line 31, in validate
raise Exception("Error: The path for certificate: %s is invalid" % cert_path)
Exception: Error: The path for certificate: /data/cert/server.crt is invalid
Are we going to have to do response / header re-writing at the reverse proxy / load balancer, or is there another setting we can tweak to do TLS termination at the proxy / load balancer?
nlowe
on 5 Jan 2018
@nlowe Sorry for the late response, so there's another http proxy in front of nginx of Harbor?
You should configure Harbor as http, run prepare and make update to the config/registry/config.yml, you can find the url under auth section, change it to https and start harbor with docker-compose
reasonerjt
on 12 Jan 2018
@reasonerjt That is correct. I'll take a look at those settings in my test environment when I'm back in the office tomorrow. Thanks for the suggestions.
nlowe
on 16 Jan 2018
@nlowe Any update?
reasonerjt
on 29 Jan 2018
Sorry, had a lot of things come up the last few weeks. I was able to work around the TLS termination issues by making the changes you suggested in common/config/registry/config.yml. I was able to access the web interface without issue and could login from docker. Could this setting be made a part of harbor.cfg? If not I think it should probably be documented.
nlowe
on 29 Jan 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 7 Sep 2018
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
on 9 Dec 2018
Related issues
mramanathan
·
3Comments
abououdine
·
3Comments
izhichao
·
3Comments
pingcrosby
·
3Comments
levchik
·
4Comments
Most helpful comment
Sorry, had a lot of things come up the last few weeks. I was able to work around the TLS termination issues by making the changes you suggested in
common/config/registry/config.yml. I was able to access the web interface without issue and could login from docker. Could this setting be made a part ofharbor.cfg? If not I think it should probably be documented.