By default, the Harbor OVA deployment listens on both port 80 (HTTP) and port 443 (HTTPS). Security requirements or organizational policies may necessitate the complete closure of port 80 to ensure all traffic is encrypted and to reduce the attack surface.

This article provides the necessary steps to disable port 80 in the Nginx configuration, update the Harbor Core environment to ensure internal tokens use the correct HTTPS endpoint, and harden the OS-level firewall.

To restrict Harbor to port 443, follow the procedures below. These steps require root or sudo privileges.

1. Modify Nginx Configuration

First, remove the instruction for the Nginx web server to listen for unencrypted traffic.

1. Open the Nginx configuration file: 

   sudo nano /opt/bitnami/nginx/conf/nginx.conf

2. Locate the server block and find the following line: 

   listen 80;

3. Remove or comment out that line.

4. Save and exit the editor.

2. Update Harbor Core External URL

By default, Harbor Core may construct realm tokens using the http protocol. To ensure proper authentication over HTTPS, the external endpoint must be explicitly defined.

1. Open the Harbor Core environment file: sudo nano /opt/bitnami/harbor-core/.env

2. Add or modify the following line, replacing YOUR_EXTERNAL_URL with your actual FQDN or IP: EXT_ENDPOINT='https://YOUR_EXTERNAL_URL'

3. Save and exit the editor.

3. Update Firewall Rules

Remove port 80 from the allowed incoming traffic list in the nftables configuration.

1. Open the firewall configuration file: sudo nano /etc/nftables.conf

2. Locate the section allowing TCP ports and change this line from:

   tcp dport { 22, 80, 443 } accept

   to:

   tcp dport { 22, 443 } accept

    

3. Save and exit the editor.

4. Restart Services

Apply the changes by restarting the Bitnami services and the firewall.

sudo service bitnami restart
sudo service nftables restart