Set up mTLS Verification and Certificate Termination on the Reverse Proxy

JFrog Artifactory Documentation

JFrog Artifactory
Content Type
User Guide

Setting up mTLS requires you to first set up mTLS verification and certificate termination on your reverse proxy.For example, using Nginx should include something like this:

ssl_verify_client      optional;
ssl_verify_depth       2;
ssl_client_certificate /path/to/client-ca.crt;
proxy_set_header X-JFrog-Client-Cert "";
proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;


Theclient-ca.crtabove is an example of a single file with all trusted client CA certificates.

The reverse proxy should be responsible (by configuration) for:

  • Always removing the custom header from all incoming requests, to prevent a malicious user from adding such header on their own, tricking the platform to accept the header as an authentication and authorization mechanism

  • Adding to the request the custom header with the client certificate only for requests that were successfully mTLS-verified

After setting your reverse proxy, when a request is performed with mTLS, upon successful verification, the reverse proxy must add a custom header with the client certificate in PEM format (refer to the proxy_set_header X-JFrog-Client-Cert in the code example above).

Note that you can also set up your own custom header instead ofX-JFrog-Client-Cert.If you choose to do so, you will need to set the same header via theheader-namein the system.yaml file (see configuration example below) for the JFrog Platform to use the same header.