Configure the Harbor YML File

You set system level parameters for Harbor in the harbor.yml file that is contained in the installer package. These parameters take effect when you run the script to install or reconfigure Harbor.

After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal.

Required Parameters

The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the harbor.yml file. The optional parameters are commented with #. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the hostname parameter.

IMPORTANT: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS.

You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see Configuring Harbor with HTTPS Access.

Required Parameters for Harbor Deployment
Parameter Sub-parameters Description and Additional Parameters
hostname None Specify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, or The registry service must be accessible to external clients, so do not specify localhost,, or as the hostname.
http   Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.
  port Port number for HTTP, for both Harbor portal and Docker commands. The default is 80.
https   Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped.
  port The port number for HTTPS, for both Harbor portal and Docker commands. The default is 443.
  certificate The path to the SSL certificate.
  private_key The path to the SSL key.
internal_tls   Use HTTPS to communicate between harbor components
  enabled Set this flag to true means internal tls is enabled
  dir The path to the directory that contains internal certs and keys
harbor_admin_password None Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are admin and Harbor12345.
database   Use a local PostgreSQL database. You can optionally configure an external database, in which case you can deactivate this option.
  password Set the root password for the local database. You must change this password for production deployments.
  max_idle_conns The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_open_conns The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  conn_max_lifetime The maximum amount of time a connection may be reused. If it <= 0, connections are not closed due to a connection's age.
  conn_max_idle_time The maximum amount of time a connection may be idle. If it <= 0, connections are not closed due to a connection's idle time.
data_volume None The location on the target host in which to store Harbor's data. This data remains unchanged even when Harbor's containers are removed and/or recreated. You can optionally configure external storage, in which case deactivate this option and enable storage_service. The default is /data.
trivy   Configure Trivy scanner.
  ignore_unfixed Set the flag to true to display only fixed vulnerabilities. The default value is false
  security_check Comma-separated list of what security issues to detect. Possible values are vuln, config and secret. Defaults to vuln.
  skip_update You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. If the flag is enabled you have to download the trivy-offline.tar.gz archive manually, extract and the trivy.db and metadata.json files and mount them in the /home/scanner/.cache/trivy/db/trivy.db path in container. The default value is false
  insecure Set the flag to true to skip verifying registry certificate. The default value is false
  github_token Set the GitHub access token to download Trivy DB. Trivy DB is downloaded by Trivy from the GitHub release page. Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult .You can create a GitHub token by following the instructions in
jobservice max_job_workers The maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.
notification webhook_job_max_retry Set the maximum number of retries for web hook jobs. The default is 10.
log   Configure logging. Harbor uses `rsyslog` to collect the logs for each container.
  level Set the logging level to debug, info, warning, error, or fatal. The default is info.
  local Set the log retention parameters:
  • rotate_count: Log files are rotated rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.
  • rotate_size: Log files are rotated only if they grow bigger than rotate_size bytes. Use k for kilobytes, M for megabytes, and G for gigabytes. 100, 100k, 100M and 100G are all valid values. The default is 200M.
  • location: Set the directory in which to store the logs. The default is /var/log/harbor.
  external_endpoint Enable this option to forward logs to a syslog server.
  • protocol: Transport protocol for the syslog server. Default is TCP.
  • host: The URL of the syslog server.
  • port: The port on which the syslog server listens
proxy   Configure proxies to be used by trivy-adapter, the replication jobservice, and Harbor. Leave blank if no proxies are required. Some proxies have whitelist settings, if Trivy is enabled, you need to add the following urls to the proxy server whitelist:,, and *
  http_proxy Configure an HTTP proxy, for example,
  https_proxy Configure an HTTPS proxy, for example,
  no_proxy Configure when not to use a proxy, for example,,localhost,core,registry.
cache   Configure cache layer for your Harbor instance. When enabled, Harbor will cache some Harbor resources (for example, artifacts, projects, or project metadata) using Redis, reducing the amount of time and resources used for repeated requests for the same Harbor resource. It's strongly recommended that you enable this feature on Harbor instances with high concurrent pull request rates to improve Harbor's overall performance. For more details on the cache layer implementation and performance improvements, see the Cache Layer wiki page.
  enabled Default is false, set to true to enable Harbor's cache layer.
  expire_hours Configure the cache expiration limit in hours. Default is 24.

Optional Parameters

The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in harbor.yml by deleting the leading # character.

Optional Parameters for Harbor
Parameter Sub-Parameters Description and Additional Parameters
external_url None Enable this option to use an external proxy. When enabled, the hostname is no longer used.
storage_service   By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See *Configuring Storage Backend* below for more information about how to configure a different backend.
  ca_bundle The path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.
  filesystem The default is filesystem, but you can set azure, gcs, s3, swift and oss. For information about how to configure other backends, see Configuring a Storage Backend below. Set maxthreads to limit the number of threads to the external provider. The default is 100.
  redirect Set deactivate to true when you want to deactivate registry redirect
external_database   Configure external database settings, if you deactivate the local database option. Currently, Harbor only supports PostgreSQL database. You must create a database for Harbor core. The tables are generated automatically when Harbor starts up.

Configure an external database for Harbor data.

  • host: Hostname of the Harbor database.
  • port: Database port.
  • db_name: Database name.
  • username: Username to connect to the core Harbor database.
  • password: Password for the account you set in username.
  • ssl_mode: Enable SSL mode.
  • max_idle_conns: The maximum number of connections in the idle connection pool. If <=0 no idle connections are retained. The default value is 2.
  • max_open_conns: The maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 0.
external_redis   Configure an external Redis instance.
  host redis_host:redis_port of the external Redis instance. If you are using Sentinel mode, this part should be host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2
  sentinel_master_set Only set this when using Sentinel mode
  password Password to connect to the external Redis instance.
  registry_db_index Database index for Harbor registry.
  jobservice_db_index Database index for jobservice.
  chartmuseum_db_index Database index for Chart museum.
  trivy_db_index Database index for Trivy adapter.
metric   Configure exposing Harbor instance metrics to a specified port and path
  enabled Enable exposing metrics on your Harbor instance by setting this to true. Default is false
  port Port metrics are exposed on. Default is 9090
  path Path metrics are exposed on. Default is /metrics
trace   Configure exposing Distributed tracing data
  enabled Enable exposing tracing on your Harbor instance by setting this to true. Default is false
  sample_rate Set the sample rate of tracing. For example, set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
  namespace Namespace used to differenciate different harbor services, which will set to attribute with key service.namespace
  attributes The attributes is a key value dict contains user defined customized attributes used to initialize trace provider, and all of these atributes will added to trace data
  • endpoint: The url of endpoint(for example set endpoint means export to jaeger collector via http.
  • username:: Username used to connect endpoint. Left empty if not needed.
  • password:: Password used to connect endpoint. Left empty if not needed.
  • agent_host: The host name of jaeger agent. Set agent_host means export data to jaeger agent via udp.
  • agent_port:: The port name of jaeger agent.
  • endpoint: The hostname and port for otel compitable backend(for example
  • url_path:: The url path of endpoint(for example
  • compression:: If enabling data compression
  • insecure: Ignore cert verification for otel backend
  • timeout:: The timeout of data transfer
The harbor.yml file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.

Configuring a Storage Backend

By default Harbor uses local storage for the registry, but you can optionally configure the storage_service setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the Registry Configuration Reference in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following:

    username: admin
    password: ADMIN_PASS
    authurl: http://keystone_addr:35357/v3/auth
    tenant: admin
    domain: default
    region: regionOne
    container: docker_images
    disabled: false

What to Do Next

To install Harbor, Run the Installer Script.