Set up mTLS Verification and Certificate Termination on the Reverse Proxy

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

Setting up mTLS requires you to first set up mTLS verification and certificate termination on your reverse proxy.For example, using Nginx should include something like this:

ssl_verify_client      optional;
ssl_verify_depth       2;
ssl_client_certificate /path/to/client-ca.crt;
...
proxy_set_header X-JFrog-Client-Cert "";
proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;

Note

Theclient-ca.crtabove is an example of a single file with all trusted client CA certificates.

The reverse proxy should be responsible (by configuration) for:

  • Always removing the custom header from all incoming requests, to prevent a malicious user from adding such header on their own, tricking the platform to accept the header as an authentication and authorization mechanism

  • Adding to the request the custom header with the client certificate only for requests that were successfully mTLS-verified

After setting your reverse proxy, when a request is performed with mTLS, upon successful verification, the reverse proxy must add a custom header with the client certificate in PEM format (refer to the proxy_set_header X-JFrog-Client-Cert in the code example above).

Note that you can also set up your own custom header instead ofX-JFrog-Client-Cert.If you choose to do so, you will need to set the same header via theheader-namein the system.yaml file (see configuration example below) for the JFrog Platform to use the same header.