ARTIFACTORY: How to Enforce HTTP to HTTPS Redirection in Artifactory for browser access using Nginx and Helm Charts

ARTIFACTORY: How to Enforce HTTP to HTTPS Redirection in Artifactory for browser access using Nginx and Helm Charts
AuthorFullName__c
Vignesh Surendrababu
articleNumber
000005693
FirstPublishedDate
2023-04-27T15:57:08Z
lastModifiedDate
2025-07-22
Overview:

In this article, we will explore the process of implementing HTTP to HTTPS redirection when accessing Artifactory through a web browser. Specifically, we will focus on instances where Artifactory has been installed using helm charts and the default Nginx configuration.


Step 1:

Deploy Artifactory using the default Nginx configuration via the helm charts.

Example:

postgresql:
 enabled: true
 postgresqlPassword: "password"
artifactory:
 license:
   secret: artifactory-cluster-license
   dataKey: artifactory.license
 replicaCount: 1
 resources:
   requests:
     memory: "2Gi"
     cpu: "1"
   limits:
     memory: "3Gi"
     cpu: "2"
 nodeSelector:
   jfrog: artifactory
 masterKeySecretName: masterkey-secret
 joinKeySecretName: joinkey-secret 
nginx:
 enabled: true
databaseUpgradeReady: true

Step 2:

Upon successful deployment, execute a "kubectl exec" command on the Nginx pod and proceed to navigate to the directory located at "/etc/nginx/conf.d".


Step 3:

Duplicate the entire artifactory.conf file from the directory located at "/etc/nginx/conf.d" and transfer it to your local machine.

Example artifactory.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate  /var/opt/jfrog/nginx/ssl/tls.crt;
ssl_certificate_key  /var/opt/jfrog/nginx/ssl/tls.key;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers   on;
## server configuration
server {
 listen 443 ssl;
 listen 80;
 server_name ~(?<repo>.+)\.jfrt-artifactory jfrt-artifactory;
 if ($http_x_forwarded_proto = '') {
   set $http_x_forwarded_proto  $scheme;
 }
 ## Application specific logs
 ## access_log /var/log/nginx/artifactory-access.log timing;
 ## error_log /var/log/nginx/artifactory-error.log;
 rewrite ^/artifactory/?$ / redirect;
 if ( $repo != "" ) {
   rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break;
 }
 chunked_transfer_encoding on;
 client_max_body_size 0;


 location / {
   proxy_read_timeout  900;
   proxy_pass_header   Server;
   proxy_cookie_path   ~*^/.* /;
   proxy_pass          http://jfrt-artifactory:8082/;
   proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
   proxy_set_header    X-Forwarded-Port  $server_port;
   proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
   proxy_set_header    Host              $http_host;
   proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
   add_header Strict-Transport-Security always;


   location /artifactory/ {
     if ( $request_uri ~ ^/artifactory/(.*)$ ) {
       proxy_pass       http://jfrt-artifactory:8081/artifactory/$1;
     }
     proxy_pass         http://jfrt-artifactory:8081/artifactory/;
   }
   location /pipelines/ {
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $http_host;
     proxy_pass  http://jfrt-artifactory:8082;
   }
 }
}

 

Step 4:

ֿTo proceed, the server block in the artifactory.conf file on the local machine must be modified to separate the listen addresses for ports 80 and 443. Additionally, a redirect 301 condition to the https endpoint must be included for instances where the Artifactory host is accessed using port 80.

Example:

server {
 listen 80;
 server_name ~(?<repo>.+)\.jfrt-artifactory jfrt-artifactory;
 return 301 https://$host$request_uri;
 }
server {
 listen 443 ssl;
 server_name ~(?<repo>.+)\.jfrt-artifactory jfrt-artifactory;
 if ($http_x_forwarded_proto = '') {
   set $http_x_forwarded_proto  $scheme;
 }


Step 5:

Utilizing the updated artifactory.conf file, generate a configmap within the namespace where Artifactory was initially installed in step 1.

kubectl create configmap nginx-artifactory-conf --from-file=artifactory.conf -n jfrog

 

Step 6:

After creating the configmap [nginx-artifactory-conf], proceed to update the values.yaml file with the relevant configmap name for nginx, as demonstrated below:

nginx:
 enabled: true
 customArtifactoryConfigMap: nginx-artifactory-conf

 

Step 7:

Upon completion of the modifications, the values.yaml file will reflect the following configuration:

postgresql:
 enabled: true
 postgresqlPassword: "password"
artifactory:
 license:
   secret: artifactory-cluster-license
   dataKey: artifactory.license
 replicaCount: 1
 resources:
   requests:
     memory: "2Gi"
     cpu: "1"
   limits:
     memory: "3Gi"
     cpu: "2"
 nodeSelector:
   jfrog: artifactory
 masterKeySecretName: masterkey-secret
 joinKeySecretName: joinkey-secret 
nginx:
 enabled: true
 customArtifactoryConfigMap: nginx-artifactory-conf
databaseUpgradeReady: true

 

Step 8:

To conclude, execute a "helm upgrade" command using updated values.yaml file, after which you should be able to access Artifactory via a web browser using the http endpoint and observe automatic redirection to https.