misterli's Blog.

阿里云slb https代理harbor 总结

harbor slb
字数统计: 598阅读时长: 3 min
2021/07/13

文章中使用harbor版本为v2.2.0

因为种种原因(甲方爸爸牛逼)导致 harbor 无法直接使用证书提供https访问,于是被迫采用阿里云的负载均衡slb,使用slb的https方式代理访问后端的http协议的harbor ,证书配置到slb上,如下:

user---->slb(HTTPs)-->harbor(http) --> core/protal/registry

使用这种方式我们配置harbor.yml文件时,需要把https段配置注释,否则会发生http自动重定向到https,导致循环重定向,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: XXXXX.XXX.XXX:8443

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 8443

# https related config
#https:
  # https port for harbor, default is 443
 # port: 8443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path

我们的gitlab ci 是使用google的kaniko进行镜像的打包上传:

1
/kaniko/executor --context="$PWD" --dockerfile="$PWD/Dockerfile" --destination="$HARBOR_IMAGE_TAG"

使用过程中发现有时候会出现

image-20210628141739223

我手动执行push命令发现如下报错

1
2
3
4
5
6
7
8
9
10
[root@lnt-gitlab2 ~]# docker push wqtdv.lingnanpass.com:8443/lnt/backend/biz-system/order-service:12 
The push refers to repository [wqtdv.lingnanpass.com:8443/lnt/backend/biz-system/order-service]
d198a53aea25: Pushing [==================================================>]  63.53MB/63.53MB
6062fe0be0d9: Pushing [==================================================>]  4.096kB
845fd138a201: Pushing [==================================================>]  3.072kB
ae3346816733: Pushing [==================================================>]  62.71MB/62.71MB
f1368d252262: Pushing [==================================================>]  4.719MB/4.719MB
65b25307a005: Waiting 
error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>The plain HTTP request was sent to HTTPS port</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"

解决方案

对于类似>400 The plain HTTP request was sent to HTTPS port这样的报错:

编辑common/config/registry/config.yml,添加如下图的字段relativeurls: true

image-20210621224047823

或者修改harbor.yml,然后执行./prepare

image-20210621224205340

对于上面使用kaniko push镜像那样的报错以及push报错:unauthorized: unauthorized to access repository(unauthorized: authentication required) 或者日志里面报错:unknown blob,编辑 common/config/nginx/nginx.conf , 注释掉所有的 proxy_set_header X-Forwarded-Proto $scheme; 重启即可(执行prepare后需要再次修改该文件)

image-20210713221327569

解决方案仅供参考

原文作者:Mister Li

原文链接:https://www.lishuai.fun/2021/07/13/harbor-to-slb/

发表日期:July 13th 2021, 10:49:23 pm

更新日期:May 3rd 2022, 11:25:55 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 解决方案
Total : 46
2023
2022
2021
2020
kubernetes rbac k8s vulnerability ingress-nginx RBAC argocd devops gitlab harbor slb hugo pv csi s3 kubesphere prometheus sso kubevela k8s准入控制 kyverno longhorn oomkill event configmap secret sync ingress cert-manager chaos-mesh minio vpa 动态扩缩容 k8s kubevela oamm 报警 ssl-exporter traefik 混沌工程 rke k8s pvc nfs prometheus redis umami etcd kuboard docker ci buildkit redis