Introduction
When setting up Artifactory on a Windows environment with NGINX as a reverse proxy, you may encounter issues with the HTTPS connection, even after installing an SSL certificate. This can be caused by subtle differences in NGINX configuration between Linux and Windows environments. The following guide details the troubleshooting steps and the correct NGINX configuration to resolve these issues.
This article provides a step-by-step guide for configuring NGINX as a reverse proxy for Artifactory on a Windows server. This setup allows you to access Artifactory securely via HTTPS.
Resolution
To successfully configure NGINX as a reverse proxy for Artifactory on Windows, follow these steps:
1. Initial Setup and Certificate Installation
- Install Artifactory and NGINX: Ensure both JFrog Artifactory and NGINX are installed on the same Windows server.
- Generate and Place Certificates:
- Generate a self-signed SSL certificate or use your own certificate and key files (.crt and .key).
- Create a
certs directory inside your NGINX installation path (e.g., C:\application\nginx-1.28.0\nginx-1.28.0\certs).
- Place your certificate and key files in this
certs directory.
- Install Certificate in Trusted Store:
- Navigate to the certificate directory and install the certificate on the local machine.
- During the import process, select "Place all certificates in the following store" and choose "Trusted Root Certification Authorities".
2. NGINX Configuration
- Generate Reverse Proxy Configuration:
- In the Artifactory UI, navigate to
Administration > Artifactory > HTTP Settings to generate the reverse proxy configuration.
- Modify the nginx.conf file:
- Open your
nginx.conf file, located in the conf directory of your NGINX installation (e.g., C:\application\nginx-1.28.0\nginx-1.28.0\conf).
- Replace the default content with the corrected configuration below. This configuration includes necessary adjustments for Windows and ensures that the Artifactory UI and Docker support function correctly.
3. Corrected NGINX Configuration
It is crucial that the entire
The server block is correctly placed within the http block of the nginx.conf file and is properly indented.
Nginx
# Defines the user that the worker processes will run as.
# user nobody;
# The number of worker processes, typically set to the number of CPU cores.
worker_processes 1;
# Error log location.
# error_log logs/error.log;
# error_log logs/error.log notice;
# error_log logs/error.log info;
# The file that will store the process ID of the main process.
# pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Increase the memory bucket size for long/complex server names.
# THIS WAS THE KEY FIX FOR THE SERVER_NAME HASH ERROR.
server_names_hash_bucket_size 64;
# Settings for log format.
# log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
# access_log logs/access.log main;
sendfile on;
# tcp_nopush on;
keepalive_timeout 65;
# gzip on;
############################################################################
### Artifactory Configuration - Pasted Directly to avoid include issues ###
############################################################################
server {
listen 443 ssl;
server_name ~(?<repo>.+)\.server_name;
# SSL Certificate Configuration
ssl_certificate C:/application/nginx-1.28.0/nginx-1.28.0/certs/mydomain.crt;
ssl_certificate_key C:/application/nginx-1.28.0/nginx-1.28.0/certs/mydomain.key;
# SSL Security Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers on;
# Standard JFrog Reverse Proxy Headers
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
rewrite ^/$ /ui/ redirect;
rewrite ^/ui$ /ui/ redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
location / {
proxy_read_timeout 2400s;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_buffer_size 128k;
proxy_buffers 40 128k;
proxy_busy_buffers_size 128k;
proxy_pass http://localhost:8082;
proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Security Headers
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location ~ ^/artifactory/ {
proxy_pass http://localhost:8081;
}
}
}
}
4. Run NGINX as a Windows Service
To ensure NGINX runs persistently, configure it as a Windows service using a tool like NSSM (the Non-Sucking Service Manager).
- Configure with NSSM: Set up the service with the correct executable path and startup directory for NGINX.
- Verify the Service: Check in Windows Services to confirm that the NGINX service has been created and is running successfully.
5. Final Verification
- Restart and Test: Restart the NGINX server.
- Confirm Access: Test access to Artifactory via both HTTP and HTTPS. You should now be able to access Artifactory securely over HTTPS, both from within the production environment and externally using the DNS name.
- Exclusive HTTPS: As a best practice, you can configure your setup to disable HTTP and use HTTPS exclusively.