内网环境推送镜像到外网的harbor仓库

原创 已于 2022-11-09 14:53:58 修改 · 1.4k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#linux #服务器 #运维

于 2021-07-13 10:45:08 首次发布
该博客介绍了如何在CentOS服务器上使用Tinyproxy搭建代理服务器,以便解决内网服务器无法推送镜像到外网Harbor仓库的问题。首先,通过yum安装Tinyproxy,然后编辑配置文件,开放所需端口和访问IP。接着,启动Tinyproxy服务。对于内网的A服务器,需要在docker服务中配置HTTP和HTTPS代理,并针对不安全的注册表进行设置。如果是在CentOS 7以下版本,可能需要升级系统或更换其他方法。

        由于公司的网络限制问题,无法推送镜像到我们外网的一个项目的harbor镜像仓库,所以需要搭建一个代理服务器做一个代理。 以下A为内网服务器,B为代理服务器,C为外网服务器

代理服务器B用的是tinyproxy搭建的,轻量级的软件,直接yum  install tinyproxy,

然后改下配置文件,

vim /etc/tinyproxy/tinyproxy.conf 

配置一下端口,默认是8888端口,需要就改下,还有设置访问的ip,默认是allow 127.0.0.1,如果是放开的话就把这个注释了。

##
## tinyproxy.conf -- tinyproxy daemon configuration file
##
## This example tinyproxy.conf file contains example settings
## with explanations in comments. For decriptions of all
## parameters, see the tinproxy.conf(5) manual page.
##

#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User tinyproxy
Group tinyproxy

#
# Port: Specify the port which tinyproxy will listen on.  Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 30080

#
# Listen: If you have multiple interfaces this allows you to bind to
# only one. If this is commented out, tinyproxy will bind to all
# interfaces present.
#
#Listen 192.168.0.1

#
# Bind: This allows you to specify which interface will be used for
# outgoing connections.  This is useful for multi-home'd machines where
# you want all traffic to appear outgoing from one particular interface.
#
#Bind 192.168.0.1

#
# BindSame: If enabled, tinyproxy will bind the outgoing connection to the
# ip address of the incoming connection.
#
#BindSame yes

#
# Timeout: The maximum number of seconds of inactivity a connection is
# allowed to have before it is closed by tinyproxy.
#
Timeout 6000

#
# ErrorFile: Defines the HTML file to send when a given HTTP error
# occurs.  You will probably need to customize the location to your
# particular install.  The usual locations to check are:
#   /usr/local/share/tinyproxy
#   /usr/share/tinyproxy
#   /etc/tinyproxy
#
#ErrorFile 404 "/usr/share/tinyproxy/404.html"
#ErrorFile 400 "/usr/share/tinyproxy/400.html"
#ErrorFile 503 "/usr/share/tinyproxy/503.html"
#ErrorFile 403 "/usr/share/tinyproxy/403.html"
#ErrorFile 408 "/usr/share/tinyproxy/408.html"

#
# DefaultErrorFile: The HTML file that gets sent if there is no
# HTML file defined with an ErrorFile keyword for the HTTP error
# that has occured.
#
DefaultErrorFile "/usr/share/tinyproxy/default.html"

#
# StatHost: This configures the host name or IP address that is treated
# as the stat host: Whenever a request for this host is received,
# Tinyproxy will return an internal statistics page instead of
# forwarding the request to that host.  The default value of StatHost is
# tinyproxy.stats.
#
#StatHost "tinyproxy.stats"
#

#
# StatFile: The HTML file that gets sent when a request is made
# for the stathost.  If this file doesn't exist a basic page is
# hardcoded in tinyproxy.
#
StatFile "/usr/share/tinyproxy/stats.html"

#
# LogFile: Allows you to specify the location where information should
# be logged to.  If you would prefer to log to syslog, then disable this
# and enable the Syslog directive.  These directives are mutually
# exclusive.
#
LogFile "/var/log/tinyproxy/tinyproxy.log"

#
# Syslog: Tell tinyproxy to use syslog instead of a logfile.  This
# option must not be enabled if the Logfile directive is being used.
# These two directives are mutually exclusive.
#
#Syslog On

#
# LogLevel:
#
# Set the logging level. Allowed settings are:
#       Critical        (least verbose)
#       Error
#       Warning
#       Notice
#       Connect         (to log connections without Info's noise)
#       Info            (most verbose)
#
# The LogLevel logs from the set level and above. For example, if the
# LogLevel was set to Warning, then all log messages from Warning to
# Critical would be output, but Notice and below would be suppressed.
#
LogLevel Info

#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
PidFile "/var/run/tinyproxy/tinyproxy.pid"

#
# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
# contains the client's IP address.
#
#XTinyproxy Yes

#
# Upstream:
#
# Turns on upstream proxy support.
#
# The upstream rules allow you to selectively route upstream connections
# based on the host/domain of the site being accessed.
#
# For example:
#  # connection to test domain goes through testproxy
#  upstream testproxy:8008 ".test.domain.invalid"
#  upstream testproxy:8008 ".our_testbed.example.com"
#  upstream testproxy:8008 "192.168.128.0/255.255.254.0"
#upstream localhost


#
#  # no upstream proxy for internal websites and unqualified hosts
#  no upstream ".internal.example.com"
#  no upstream "www.example.com"
#  no upstream "10.0.0.0/8"
#  no upstream "192.168.0.0/255.255.254.0"
#  no upstream "."
#
#  # connection to these boxes go through their DMZ firewalls
#  upstream cust1_firewall:8008 "testbed_for_cust1"
#  upstream cust2_firewall:8008 "testbed_for_cust2"
#
#  # default upstream is internet firewall
#  upstream firewall.internal.example.com:80
#
# The LAST matching rule wins the route decision.  As you can see, you
# can use a host, or a domain:
#  name     matches host exactly
#  .name    matches any host in domain "name"
#  .        matches any host with no domain (in 'empty' domain)
#  IP/bits  matches network/mask
#  IP/mask  matches network/mask
#
#Upstream some.remote.proxy:port

#
# MaxClients: This is the absolute highest number of threads which will
# be created. In other words, only MaxClients number of clients can be
# connected at the same time.
#
MaxClients 100

#
# MinSpareServers/MaxSpareServers: These settings set the upper and
# lower limit for the number of spare servers which should be available.
#
# If the number of spare servers falls below MinSpareServers then new
# server processes will be spawned.  If the number of servers exceeds
# MaxSpareServers then the extras will be killed off.
#
MinSpareServers 5
MaxSpareServers 20

#
# StartServers: The number of servers to start initially.
#
StartServers 10

#
# MaxRequestsPerChild: The number of connections a thread will handle
# before it is killed. In practise this should be set to 0, which
# disables thread reaping. If you do notice problems with memory
# leakage, then set this to something like 10000.
#
MaxRequestsPerChild 0

#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
#Allow 127.0.0.1

#
# AddHeader: Adds the specified headers to outgoing HTTP requests that
# Tinyproxy makes. Note that this option will not work for HTTPS
# traffic, as Tinyproxy has no control over what headers are exchanged.
#
#AddHeader "X-My-Header" "Powered by Tinyproxy"

#
# ViaProxyName: The "Via" header is required by the HTTP RFC, but using
# the real host name is a security concern.  If the following directive
# is enabled, the string supplied will be used as the host name in the
# Via header; otherwise, the server's host name will be used.
#
ViaProxyName "tinyproxy"

#
# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
# the Via header to the requests. This virtually puts Tinyproxy into
# stealth mode. Note that RFC 2616 requires proxies to set the Via
# header, so by enabling this option, you break compliance.
# Don't disable the Via header unless you know what you are doing...
#
#DisableViaHeader Yes

#
# Filter: This allows you to specify the location of the filter file.
#
#Filter "/etc/tinyproxy/filter"

#
# FilterURLs: Filter based on URLs rather than domains.
#
#FilterURLs On

#
# FilterExtended: Use POSIX Extended regular expressions rather than
# basic.
#
#FilterExtended On

#
# FilterCaseSensitive: Use case sensitive regular expressions.
#
#FilterCaseSensitive On

#
# FilterDefaultDeny: Change the default policy of the filtering system.
# If this directive is commented out, or is set to "No" then the default
# policy is to allow everything which is not specifically denied by the
# filter file.
#
# However, by setting this directive to "Yes" the default policy becomes
# to deny everything which is _not_ specifically allowed by the filter
# file.
#
#FilterDefaultDeny Yes

#
# Anonymous: If an Anonymous keyword is present, then anonymous proxying
# is enabled.  The headers listed are allowed through, while all others
# are denied. If no Anonymous keyword is present, then all headers are
# allowed through.  You must include quotes around the headers.
#
# Most sites require cookies to be enabled for them to work correctly, so
# you will need to allow Cookies through if you access those sites.
#
#Anonymous "Host"
#Anonymous "Authorization"
#Anonymous "Cookie"

#
# ConnectPort: This is a list of ports allowed by tinyproxy when the
# CONNECT method is used.  To disable the CONNECT method altogether, set
# the value to 0.  If no ConnectPort line is found, all ports are
# allowed (which is not very secure.)
#
# The following two ports are used by SSL.
#
ConnectPort 443
ConnectPort 563

#
# Configure one or more ReversePath directives to enable reverse proxy
# support. With reverse proxying it's possible to make a number of
# sites appear as if they were part of a single site.
#
# If you uncomment the following two directives and run tinyproxy
# on your own computer at port 8888, you can access Google using
# http://localhost:8888/google/ and Wired News using
# http://localhost:8888/wired/news/. Neither will actually work
# until you uncomment ReverseMagic as they use absolute linking.
#
#ReversePath "/google/" "http://www.google.com/"
#ReversePath "/wired/"  "http://www.wired.com/"

#
# When using tinyproxy as a reverse proxy, it is STRONGLY recommended
# that the normal proxy is turned off by uncommenting the next directive.
#
#ReverseOnly Yes

#
# Use a cookie to track reverse proxy mappings. If you need to reverse
# proxy sites which have absolute links you must uncomment this.
#
#ReverseMagic Yes

#
# The URL that's used to access this reverse proxy. The URL is used to
# rewrite HTTP redirects so that they won't escape the proxy. If you
# have a chain of reverse proxies, you'll need to put the outermost
# URL here (the address which the end user types into his/her browser).
#
# If not set then no rewriting occurs.
#
#ReverseBaseURL "http://localhost:8888/"

然后启动

systemctl start tinyproxy.service

代理服务器就可以了。

下面配置A服务器的docker 代理

  为docker服务创建一个内嵌的systemd目录

mkdir -p /etc/systemd/system/docker.service.d

添加配置文件,并且增加参数

vim /etc/systemd/system/docker.service.d/http-proxy.conf
[Service] 
Environment="HTTP_PROXY=http://[proxy-addr]:[proxy-port]/" "HTTPS_PROXY=https://[proxy-addr]:[proxy-port]/"

这里按实际的ip填写 x.x.x.x

如果你的是c服务器是私库,是http的,还需要配置下/etc/docker/daemon.json ,添加下 

"insecure-registries": ["addr:port"]

这里把c服务器ip和端口填上,根据你的实际ip填写。因为docker默认是访问https的。

修改后,执行更新和重启

sudo systemctl daemon-reload

sudo systemctl restart docker

如果是centos7以下的版本,以上方法都不适用,我就是被centos6的系统搞的晕了,没法弄这个代理的,建议升级系统,或者换。

【云原生】使用Harbor代理dockerhub拉取镜像
CN_Eden
07-17 2319
最近回归使用istio,又遇到了容器镜像从dockerhub拉取不下来的问题,实在是忍无可忍了,准备在香港地域安装Harbor作为代理节点拉取镜像
Jenkins构建SpringBoot项目镜像推送到私有仓库Harbor教程
最新发布
u012604480的博客
07-14 330
使用jenkins自动构建工具打包springboot项目镜像,并将打包出来的镜像推送Harbor私有镜像仓库
搭建镜像仓库harbor-安装及使用教程
weixin_48704094的博客
04-14 6946
架构组件图如上图所描述,Harbor由6个大的模块所组成:1、Proxy: Harbor的registry、UI、token services等组件,都处在一个反向代理后边。该代理将来自浏览器、docker clients的请求转发到后端服务上。2、Registry: 负责存储Docker镜像,以及处理Docker push/pull请求。
vmware虚拟机使用docker使用代理国外镜像
月夜楓
06-17 6336
代理
harbor配置外网访问
csdnchen666666的博客
04-02 6252
harbor的安装方法网上有很多,就不写了,参考https://www.cnblogs.com/guyeshanrenshiwoshifu/p/9166195.html 下面记录配置外放访问的几点关键点 harbor.cfg文件的hostname配置为外网ip(网上一般配置的都是内网ip) /lib/systemd/system/docker.service配置为ExecStart=/usr...
Harbor】配置代理镜像加速
2402_85713455的博客
08-03 2952
这样可以极大提高部署效率,实现内网私库部署。一定程度上保障了安全性,实现内网部署。拉完之后,这时可以看到镜像已经缓存到了服务器的项目中了,下次下载不会走公网流量了。通过配置代理仓库,实现将公网上的镜像缓存到代理仓库中,实现镜像缓存的功能。在刚才创建的项目,点击【镜像仓库】。此时没有拉镜像,所有没有任何镜像仓库。配置完,点击测试连接。看到新项目后,新项目类型是镜像代理。在客户端拉取相关镜像,拉镜像的时候此处有坑,要注意镜像名称。在项目中,新建一个项目用于代理加速镜像。新建一个目标仓库,为了存放代理镜像
nginx外网 + harbor拉取推送镜像
eyeofeagle的博客
04-25 4455
1,问题描述 nginx + harbor nginx容器配置: 外网nginx代理后harbor域名:harbor01.io harbor.cfg ( hostname = 11.243.32.211 ) ---> pull harbor01.io/xx/yy err harbor.cfg ( hostname = harbor01.io ) ---> pull harbor01.io/xx/yy ok, push err common/co
一次内网 Harbor 镜像仓库导出迁移过程记录
小康子的博客
04-26 2925
内网 Harbor 镜像包批量导出及迁移过程
『现学现忘』Docker基础 — 41、将本地镜像推送到阿里云
JavaMonsterr的博客
07-02 859
(1)创建阿里云平台账号阿里云官网地址: https://www.aliyun.com/淘宝、支付宝账号可复用,这里不做过多说明了。(2)找到容器镜服务界面在阿里云官网主页,产品 —> 容器与中间件 —> 容器镜像服务ACR —> 管理控制台。如下图所示:进入到阿里云容器镜像服务界面如下:我们之前说过镜像加速器,今天我们来说说阿里云容器镜像仓库。点击左侧边栏的命名空间,再点击右上角创建命名空间,然后在弹出的对话对话框中,输入自定义命名空间的名称。注意:一个账号最多可以创建3个命名空间。创建好的命名空间如下:
Dockerfile构建镜像上传Harbor实战
weixin_44449869的博客
04-24 576
Dockerfile构建镜像上传Harbor实战
Harbor创建镜像代理项目
qq_47767419的博客
11-14 682
由于阿里云的仓库并不支持创建镜像代理。所以我使用了dockerhub,这里需要未harbor配置代理。ps:创建阿里云目标的时候是需要阿里云账号的ak sk的,不填写会导致连接错误。可以使用docker logs -f harbor-core命令,在日志中查看到。Harbor创建镜像代理项目,实现本地仓库,如无该镜像,自动从镜像代理地址拉取。2、创建新项目,勾选镜像代理,选中dockerhub(刚刚设置的)在 Harborharbor.yml 文件中配置代理服务器。修改之后重启harbor
Harbor私服无法在外网访问?
4G/5G随身WiFi专业DIY改装
11-03 973
要在外网访问Harbor私服,您需要进行以下配置:修改Harbor的配置文件(harbor.yml)中的hostname:将hostname配置为您的公网IP或域名。例如:hostname: 公网IP或域名在配置文件中设置external_url:将external_url设置为您的公网IP或域名。确保在URL中包含正确的...
利用Harbor代理缓存镜像实现内网镜像加速
2401_89221867的博客
04-23 1381
Harbor 代理缓存(Proxy Cache)是一种中间镜像仓库,类似 Nexus 的代理模式,允许 Harbor 代理来自 Docker Hub 或其他私有仓库镜像请求。当内网客户端第一次拉取某个镜像时,代理缓存仓库会向外网仓库请求镜像并下载至本地缓存。随后其他客户端拉取同一镜像时,直接从本地缓存仓库获取,避免重复访问外网。有效节约内外网带宽,减少 Docker Hub 的访问频率,避免触发速率限制。
docker-compose 启动的harbor页面能登录,但是不能推送镜像
轻的博客
09-02 726
docker-compose 安装的harbor,页面可以正常打开,但是不能推送镜像。报错信息提示:connect: connection refused。
Harbor系列之8:配置镜像代理缓存
lldhsds的专栏
07-29 2366
Harbor 提供的代理缓存功能可以使用 Harbor 来代理和缓存来自公共或私有仓库镜像。在互联网访问受限或无法访问的环境中,可以使用代理缓存从 Harbor 或非 Harbor 仓库中拉取镜像;还可以使用代理缓存来限制对公共仓库发出的请求数量,避免消耗过多带宽或被仓库服务器限制。说明:从 Harbor v2.1.1 开始,代理缓存功能已更新,以与保持一致。如果要做Harbor 中使用代理缓存,建议您使用 v2.1.1 或更高版,以免避免受到速率限制。
harbor配置远程仓库
前方的路在刚开始
08-09 1520
用第一篇搭建后要注意,第二篇中用的是80,你要全部写端口。这个教你配置,login登录。上面教你按harbor
Docker:在内网环境推送镜像Harbor
W先生
10-28 2658
由于在内网环境中,所以有时需要在自己搭建的Harbor仓库中添加一个新的镜像。 1. 在一台可以连接外网的机器上拉取一个镜像(以Node8.16版本的镜像为例) 执行命令: docker pull node:8.16 这里直接从 docker hub 上拉取的. 查看目前已有镜像: docker images 2. 将需要的镜像保存成一个.tar包 将node、tag为8.16 的镜像...
各类国外热门网站的镜像网站汇总
热门推荐
qq_61210648的博客
09-19 20万+
承接上文,继续更新国外常用热门网站的镜像站,欢迎点赞关注收藏,持续更新!!!
Harbor镜像仓库远程同步
小啊宇的博客
12-25 4086
环境 IP 备注 192.168.1.10 docker、harbor 192.168.1.20 docker、harbor 修改主机名、免密登录 [root@localhost ~]# hostname master [root@localhost ~]# bash [root@master ~]# [root@localhost ~]# hostname slave [root@localhost ~]# bash [root@slave ~]# master echo '
harbor不使用2375端口完成远程推送镜像
06-14
<think>我们正在解决如何在不使用2375端口(即不开启Docker守护进程的远程非安全访问)的情况下,将镜像推送到远程Harbor仓库的问题。2375端口是Docker的未加密通信端口,存在安全风险,通常不荐使用。替代方案是使用HTTPS(即使用TLS加密的端口,通常是2376)或者通过其他安全的方式。根据引用内容,我们可以总结出以下几点关键信息:1.Harbor的配置中,可以通过设置`insecure-registries`来允许HTTP访问(引用[1]),但这样仍然不安全。2.更安全的做法是配置HTTPS,这需要为Harbor配置SSL证书,并在Docker客户端配置信任该证书(引用[5])。3.推送镜像时,如果使用HTTP且没有配置`insecure-registries`,或者使用HTTPS但没有正确配置证书,都会导致推送失败(引用[4])。因此,解决方案有两个方向:方向一:使用HTTP并配置Docker客户端信任该Harbor仓库(不安全,仅在内网测试环境中建议)方向二:使用HTTPS(荐),并配置SSL证书。由于用户明确要求不使用2375端口,并且希望有替代方案或HTTPS设置,我们重点讲解HTTPS配置。###步骤1:为Harbor配置HTTPS根据Harbor官方文档,在安装Harbor时,需要配置SSL证书。以下是基本步骤:1.准备域名证书(可以是自签名证书或CA签发的证书)。假设我们有一个自签名证书,包括`tls.crt`(证书文件)和`tls.key`(私钥文件)。2.Harbor的配置文件`harbor.yml`中配置HTTPS:```yamlhttps:port:443#HTTPS端口,默认为443,也可以使用其他端口如8443certificate:/path/to/tls.crtprivate_key:/path/to/tls.key```同时,将`http`部分注释掉:```yaml#http:#port:80```或者,如果希望同时支持HTTP和HTTPS,可以保留HTTP配置,但通常生产环境只使用HTTPS。3.运行安装脚本(或重新配置Harbor):```bashsudo./install.sh```或者如果已经安装,可以运行:```bashsudo./preparesudodocker-composedown-vsudodocker-composeup-d```###步骤2:在Docker客户端配置信任Harbor的证书如果使用的是自签名证书,那么需要在每个Docker客户端机器上信任该证书。1.Harbor服务器的证书(`tls.crt`)复制到Docker客户端机器上。2.在Docker客户端创建证书目录,目录结构为:`/etc/docker/certs.d/<Harbor域名>:<端口>/`。注意,这里的端口是Harbor的HTTPS端口(如443或8443)。例如,如果Harbor的域名是`core.harbor.domain`,端口是443,则目录为:```bashsudomkdir-p/etc/docker/certs.d/core.harbor.domain/```如果是自定义端口,比如8443,则目录为:```bashsudomkdir-p/etc/docker/certs.d/core.harbor.domain:8443/```3.将证书文件复制到该目录下,并重命名为`ca.crt`(或者保留原文件名,但确保是.crt后缀):```bashsudocp/path/to/tls.crt/etc/docker/certs.d/core.harbor.domain/ca.crt```如果是自定义端口:```bashsudocp/path/to/tls.crt/etc/docker/certs.d/core.harbor.domain:8443/ca.crt```4.重启Docker服务使配置生效:```bashsudosystemctlrestartdocker```###步骤3:登录和推送镜像1.使用`dockerlogin`登录到Harbor,注意使用HTTPS的URL:```bashdockerlogincore.harbor.domain```如果使用自定义端口:```bashdockerlogincore.harbor.domain:8443```2.镜像打标签,注意镜像名前缀必须是完整的Harbor地址(包括端口,如果是443可以省略端口):```bashdockertagyour-image:tagcore.harbor.domain/your-project/your-image:tag```或者自定义端口:```bashdockertagyour-image:tagcore.harbor.domain:8443/your-project/your-image:tag```3.推送镜像:```bashdockerpushcore.harbor.domain/your-project/your-image:tag```###注意事项-如果Harbor使用HTTP,则必须在Docker客户端的`daemon.json`中配置`insecure-registries`(引用[1]),但这样通信是不加密的,不安全。-如果使用HTTPS,但证书是由受信任的CA签发的(如Let'sEncrypt),则不需要在客户端手动配置证书,因为客户端已经信任该CA。-引用[3]提到了一种无需本地安装Docker的推送方法,但用户问题中要求的是远程推送镜像,通常还是需要Docker客户端。如果不想在本地安装Docker,可以考虑使用HarborAPI直接上传,但这种方法较为复杂,一般不常用。###总结不使用2375端口的替代方案就是使用HTTPS(通常是443端口)进行加密通信。关键步骤包括配置Harbor的HTTPS证书,以及在Docker客户端信任该证书。§§相关问题§§1.如何为Harbor生成自签名SSL证书?2.如何配置Docker客户端使用受信任的CA签发的证书访问Harbor?3.除了HTTPS,还有哪些安全的方式可以远程推送镜像Harbor?</think>### Harbor 配置远程推送镜像(不使用 2375 端口)的解决方案 #### 1. **使用 HTTPS 安全协议(荐方案)** **核心原理**:通过 TLS 加密替代不安全的 2375 端口,使用标准 HTTPS 端口(默认为 443 或自定义端口)。 **操作步骤**: 1. **配置 Harbor HTTPS**: - 修改 `harbor.yml` 配置文件: ```yaml https: port: 8443 # 自定义 HTTPS 端口(非 443 时需显式声明) certificate: /your/cert/path/tls.crt private_key: /your/cert/path/tls.key ``` - 生成自签名证书(示例): ```bash openssl req -x509 -newkey rsa:4096 -nodes -days 365 \ -out tls.crt -keyout tls.key \ -subj "/CN=your-harbor-domain.com" ``` 2. **Docker 客户端配置**: - 将 Harbor 证书复制到 Docker 信任目录: ```bash mkdir -p /etc/docker/certs.d/your-harbor-domain.com:8443 cp tls.crt /etc/docker/certs.d/your-harbor-domain.com:8443/ca.crt ``` - 重启 Docker 服务: ```bash systemctl restart docker ``` 3. **推送镜像**: ```bash docker tag your-image:tag your-harbor-domain.com:8443/project/your-image:tag docker push your-harbor-domain.com:8443/project/your-image:tag ``` #### 2. **HTTP 替代方案(仅限内网)** **适用场景**:测试环境且网络隔离严格时使用 HTTP。 **操作步骤**: 1. **配置 Harbor HTTP**: ```yaml http: port: 8080 # 自定义 HTTP 端口 ``` 2. **Docker 客户端设置**: - 修改 `/etc/docker/daemon.json`: ```json { "insecure-registries": ["your-harbor-ip:8080"] } ``` - 重启 Docker: ```bash systemctl restart docker ``` 3. **推送镜像**: ```bash docker push your-harbor-ip:8080/project/your-image:tag ``` #### 关键注意事项 1. **端口一致性**: - Harbor 服务端口必须与推送命令中的端口完全匹配(如 `:80`、`:443`、`:8443`)[^4]。 - 错误示例:`docker push 192.168.1.10/library/image`(缺失端口)会导致失败。 2. **证书信任**: - HTTPS 方案必须确保客户端信任 Harbor 证书(自签名证书需手动分发)[^5]。 3. **网络连通性**: - 防火墙需放行自定义端口(如 8443)的 TCP 流量。 #### 方案对比 | **方案** | 安全性 | 配置复杂度 | 适用场景 | |----------------|--------|------------|------------------| | **HTTPS+证书** | ★★★★★ | ★★★☆☆ | 生产环境/跨网络 | | **HTTP+白名单**| ★★☆☆☆ | ★★☆☆☆ | 隔离内网测试环境 | > **荐实践**:生产环境务必使用 HTTPS 方案,避免因未加密通信导致的数据泄露风险[^1][^5]。
评论 1
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值