SSL

ARTIFACTORY: Installation Quick Start Guide - Docker-compose
AuthorFullName__c
Ino Choi
articleNumber
000005198
FirstPublishedDate
2022-01-13T19:31:41Z
lastModifiedDate
2022-01-13
VersionNumber
25

In case SSL (HTTPS) connection to Artifactory is required, you can configure a reverse proxy such as Nginx or Apache in front of Artifactory. For Docker-Compose installation, you can find the Nginx Docker-Compose template in the “templates” folder under the extracted Docker-Compose folder. You can copy the template to the extracted folder as docker-compose.yaml. Please make sure to add port 443 under artifactory.ports.

version: '3'
services:
  artifactory:
    image: ${DOCKER_REGISTRY}/jfrog/artifactory-pro:${ARTIFACTORY_VERSION}
    container_name: artifactory
    environment:
      - JF_ROUTER_ENTRYPOINTS_EXTERNALPORT=${JF_ROUTER_ENTRYPOINTS_EXTERNALPORT}
    ports:
      - ${JF_ROUTER_ENTRYPOINTS_EXTERNALPORT}:${JF_ROUTER_ENTRYPOINTS_EXTERNALPORT} #
      - 8081:8081 # for artifactory communication
      - 443:443 # for nginx
    volumes:
      - ${ROOT_DATA_DIR}/var:/var/opt/jfrog/artifactory
      - /etc/localtime:/etc/localtime:ro
    restart: always
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "10"
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000
  nginx:
    image: ${DOCKER_REGISTRY}/jfrog/nginx-artifactory-pro:${ARTIFACTORY_VERSION}
    container_name: nginx
    depends_on:
      - artifactory
    network_mode: service:artifactory
    volumes:
      - ${ROOT_DATA_DIR}/var/data/nginx:/var/opt/jfrog/nginx
      - /etc/localtime:/etc/localtime:ro
    environment:
      - ART_BASE_URL=http://localhost:${JF_ROUTER_ENTRYPOINTS_EXTERNALPORT}
      - NGINX_LOG_ROTATE_COUNT=${NGINX_LOG_ROTATE_COUNT}
      - NGINX_LOG_ROTATE_SIZE=${NGINX_LOG_ROTATE_SIZE}
      - SSL=true
    restart: always
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "10"
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000

Sample NGINX template below:

###########################################################
## this configuration was generated by JFrog Artifactory ##
###########################################################

## add ssl entries when https has been set in config
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate      /etc/ssl/private/server.key;
ssl_certificate_key  /etc/ssl/private/server.crt;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers   on;
## server configuration
server {
    listen 443 ssl;
    listen 80 ;
    server_name ~(?<repo>.+)\.artifactory_host artifactory_host;
    
    if ($http_x_forwarded_proto = '') {
        set $http_x_forwarded_proto  $scheme;
    }
    ## Application specific logs
    ## access_log /var/log/nginx/artifactory_host-access.log timing;
    ## error_log /var/log/nginx/artifactory_host-error.log;
    rewrite ^/$ /ui/ redirect;
    rewrite ^/ui$ /ui/ redirect;
    rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2;
    chunked_transfer_encoding on;
    client_max_body_size 0;
    location / {
    proxy_read_timeout  2400s;
    proxy_pass_header   Server;
    proxy_cookie_path   ~*^/.* /;
    proxy_buffer_size 128k;
    proxy_buffers 40 128k;
    proxy_busy_buffers_size 128k;
    proxy_pass          http://localhost:8082;
    proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
    proxy_set_header    X-Forwarded-Port  $server_port;
    proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header    Host              $http_host;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

        location ~ ^/artifactory/ {
            proxy_pass    http://localhost:8081;
        }
    }
}

Reverse proxies can also be configured to handle load balancing traffic between nodes. In NGINX’s case, you can add this snippet at the top: 
 

upstream artifactory {
    server 10.150.0.222:8082;
    server <additional node IP>:8082;
}
upstream artifactory-direct {
    server 10.150.0.222:8081;
    server <additional node IP>:8081;
}

Then, modify the proxy_pass lines to be
 

proxy_pass http://localhost:8082; → proxy_pass          http://artifactory;
proxy_pass http://localhost:8081; → proxy_pass    http://artifactory-direct;

Otherwise you may use a dedicated load balancer to handle traffic balancing. 

Note that to support docker requests, you’ll need a reverse proxy or load balancer to handle request rewrites. Also, if you are planning on having a load balancer terminating SSL, and a reverse proxy, you’ll need the below headers to be hard coded to the details of your load balancer:

For NGINX:

proxy_set_header    X-JFrog-Override-Base-Url https://<LBHOST>:<LBPORT>;
proxy_set_header    X-Forwarded-Port  <LBPORT>
proxy_set_header    X-Forwarded-Proto https