安装
下载
参考官网
在 github release页面 下载 offline 安装包harbor-offline-installer-v2.15.0.tgz
解压
tar zxvf harbor-offline-installer-v2.15.0.tgz证书
如果不搞证书,就要在连接harbor的时候,将ip加入/etc/docker/daemon.json的-insecure-registry
建议先跳过次步骤,直接使用HTTP
安装certbot
sudo apt update
sudo apt install certbot -y申请证书
sudo certbot certonly --standalone -d harbor.cheesechise.top执行此步骤要确保80端口没有被占用,输入邮箱并同意服务条款
将生成的证书配置给Harbor
https:
port: 443
# 使用 Let's Encrypt 的全链证书
certificate: /etc/letsencrypt/live/harbor.cheesechise.top/fullchain.pem
# 使用 Let's Encrypt 的私钥
private_key: /etc/letsencrypt/live/harbor.cheesechise.top/privkey.pemharbor.yml执行安装脚本
在解压目录
sudo ./prepare
sudo ./install.shnginx 端口转发
sudo apt update
sudo apt install nginx -y
sudo systemctl status nginx
sudo vim /etc/nginx/sites-available/harbor.conf填入如下配置
server {
listen 80;
server_name harbor.cheesechise.top;
# 将 HTTP 自动跳转到 HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name harbor.cheesechise.top;
# 指向你刚刚申请成功的 Certbot 证书
ssl_certificate /etc/letsencrypt/live/harbor.cheesechise.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/harbor.cheesechise.top/privkey.pem;
# 必须加上这一行,否则推送镜像时会报 413 错误(上传文件太大)
client_max_body_size 0;
location / {
# 转发到你的 Harbor 实际运行端口
proxy_pass https://127.0.0.1:9181;
# 保持连接的必要请求头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 禁用缓存以支持 Docker 推送大文件流
proxy_buffering off;
proxy_request_buffering off;
}
}harbor.conf激活配置
sudo ln -s /etc/nginx/sites-available/harbor.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx自己生成证书(不要使用此方法,很麻烦)
生成CA证书,替换harbor.cheesechise.top为实际域名
mkdir -p /data/cert && cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha256 -days 3650 \
-key ca.key \
-out ca.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cheesechise.top"生成服务器证书,记得替换域名和ip
openssl genrsa -out harbor.cheesechise.top.key 4096
openssl req -sha256 -new \
-key harbor.cheesechise.top.key \
-out harbor.cheesechise.top.csr \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.cheesechise.top"这个命令如果出现权限问题,请使用vim创建v3.ext文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.cheesechise.top
IP.1=49.233.70.33
EOFopenssl x509 -req -sha256 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.cheesechise.top.csr \
-out harbor.cheesechise.top.crt回到解压目录,编辑harbor.yml
cp harbor.yml.tmpl harbor.yml
vim harbor.yml修改,可以修改端口号
hostname: harbor.cheesechise.top
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
https:
port: 443
certificate: /data/cert/harbor.cheesechise.top.crt
private_key: /data/cert/harbor.cheesechise.top.keyharbor.yml让本地docker信任证书
sudo mkdir -p /etc/docker/certs.d/harbor.cheesechise.top/
sudo cp /data/cert/harbor.cheesechise.top.crt /etc/docker/certs.d/harbor.cheesechise.top/
sudo cp /data/cert/harbor.cheesechise.top.key /etc/docker/certs.d/harbor.cheesechise.top/
sudo cp /data/cert/ca.crt /etc/docker/certs.d/harbor.cheesechise.top/
sudo systemctl restart docker记得打开服务器443HTTPS端口
如果其他机器的docker要连接这个harbor,也要执行让docker信任证书这一个步骤,将ca.crt拷贝到该机器的/etc/docker/certs.d/yourdomain.com/目录下
# 1. 创建目录
sudo mkdir -p /etc/docker/certs.d/harbor.cheesechise.top/
# 2. 只拷贝 ca.crt,并重命名为 domain.crt (或者直接叫 ca.crt 也可以)
# 你需要从 Harbor 服务器把 ca.crt 传到这台机器上
sudo cp ca.crt /etc/docker/certs.d/harbor.cheesechise.top/
# 3. 重启 Docker(或者通常直接登录即可)
sudo systemctl restart docker或者使用系统级信任
cp ca.crt /usr/local/share/ca-certificates/harbor.crt
sudo update-ca-certificates
sudo systemctl restart docker