SSL

ARTIFACTORY: Installation Quick Start Guide - Linux Archive
AuthorFullName__c
Lawrence Fung
articleNumber
000005197
ft:sourceType
Salesforce
FirstPublishedDate
2022-01-13T19:27:31Z
lastModifiedDate
2022-01-13
VersionNumber
15

If HTTPS is required, you can setup nginx reverse proxy in front of Artifactory. A reverse proxy configuration can be generated in the Artifactory UI by going to Administration->Artifactory->HTTP Settings. This will need to be copied to your nginx config. You will need to have your own SSL certs and key and place them in the correct directory specified in the nginx config. Below is a sample configuration for reference.  

###########################################################
## this configuration was generated by JFrog Artifactory ##
###########################################################

## add ssl entries when https has been set in config
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate      /etc/ssl/private/server.key;
ssl_certificate_key  /etc/ssl/private/server.crt;
ssl_session_cache shared:SSL:1m;
ssl_prefer_server_ciphers   on;
## server configuration
server {
    listen 443 ssl;
    listen 80 ;
    server_name ~(?<repo>.+)\.artifactory_host artifactory_host;
    
    if ($http_x_forwarded_proto = '') {
        set $http_x_forwarded_proto  $scheme;
    }
    ## Application specific logs
    ## access_log /var/log/nginx/artifactory_host-access.log timing;
    ## error_log /var/log/nginx/artifactory_host-error.log;
    rewrite ^/$ /ui/ redirect;
    rewrite ^/ui$ /ui/ redirect;
    rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2;
    chunked_transfer_encoding on;
    client_max_body_size 0;
    location / {
    proxy_read_timeout  2400s;
    proxy_pass_header   Server;
    proxy_cookie_path   ~*^/.* /;
    proxy_buffer_size 128k;
    proxy_buffers 40 128k;
    proxy_busy_buffers_size 128k;
    proxy_pass          http://localhost:8082;
    proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
    proxy_set_header    X-Forwarded-Port  $server_port;
    proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header    Host              $http_host;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

        location ~ ^/artifactory/ {
            proxy_pass    http://localhost:8081;
        }
    }
}

Reverse proxies can also be configured to handle load balancing traffic between nodes. In NGINX’s case, you can add this snippet at the top: 

upstream artifactory {
    server 10.150.0.222:8082;
    server <additional node IP>:8082;
}
upstream artifactory-direct {
    server 10.150.0.222:8081;
    server <additional node IP>:8081;
}

Otherwise, you may use a dedicated load balancer to handle traffic balancing. 
Then, modify the proxy_pass lines to be:

proxy_pass http://localhost:8082; → proxy_pass          http://artifactory;
proxy_pass http://localhost:8081; → proxy_pass    http://artifactory-direct;

Note that to support docker requests, you’ll need a reverse proxy or load balancer to handle request rewrites. Also, if you are planning on having a load balancer terminating SSL, and a reverse proxy, you’ll need the below headers to be hard coded to the details of your load balancer:

For NGINX: 

proxy_set_header    X-JFrog-Override-Base-Url https://<LBHOST>:<LBPORT>;
proxy_set_header    X-Forwarded-Port  <LBPORT>
proxy_set_header    X-Forwarded-Proto https