How to configure Artifactory as a Docker registry with F5 (BIG-IP) and HTTPS?

Kfir Avraham
2023-01-22 11:09

 

Please note, following breaking changes introduced in Artifactory version 7.x, below there are the required iRule configurations for both, Artifactory versions below version 7.x and for Artifactory versions 7.x and above to be used accordingly.

The Repository Path method:

From Artifactory version 5.8 it is possible to work with Artifactory as a Docker registry with the Repository Path method, with this method it is possible to work with Artifactory without the need of a reverse proxy configuration.
If you would like to use the Repository Path method and have an HTTPS connection, it is possible achieve it by configuring a reverse proxy in front Artifactory. 
Furthermore, in case the reverse proxy is Nginx or Apache, you may simply generate the required configuration for the proxy from Artifactory UI.

Otherwise, in case F5's BIG-IP  is configured to work with secure connection in front of Artifactory it will be required to add the following iRule to the F5's BIG-IP Virtual Server configuration:

For Artifactory versions below 7.x:

when HTTP_REQUEST {
set ARTI_PROTO https
set ARTI_HOST <server-name>
HTTP::header insert X-Artifactory-Override-Base-Url "$ARTI_PROTO://$ARTI_HOST/artifactory"
HTTP::header insert X-Forwarded-Proto "$ARTI_PROTO"
}

For Artifactory versions 7.x and above:

when HTTP_REQUEST {
set ARTI_PROTO https
set ARTI_HOST <server-name>
HTTP::header insert X-JFrog-Override-Base-Url $ARTI_PROTO://$ARTI_HOST
HTTP::header insert X-Forwarded-Proto "$ARTI_PROTO"
}

 

The Subdomain method:

To configure F5's BIG-IP in order to work with Artifactory as a Docker registry with the Subdomain method and HTTPS connection, it will be required to add the following iRule to the F5's BIG-IP Virtual Server configuration:

For Artifactory versions below 7.x:
 

when HTTP_REQUEST {
if { [HTTP::host] contains "docker" && [HTTP::uri] starts_with "/v2/" } {
set ARTI_PROTO https
set ARTI_HOST <server-name>
scan [HTTP::host] %\[^.\].%\[^.\].%\[^.\].%\[^.\].%s REPO APP ENV DOMAIN TLD
HTTP::uri /artifactory/api/docker/$REPO[HTTP::uri]
HTTP::header insert X-Forwarded-Proto "$ARTI_PROTO"
HTTP::header insert X-Artifactory-Override-Base-Url "$ARTI_PROTO://$ARTI_HOST/artifactory"
}
}

 

For Artifactory versions 7.x and above:
 

when HTTP_REQUEST {
if { [HTTP::host] contains "docker" && [HTTP::uri] starts_with "/v2/" } {
set ARTI_PROTO https
set ARTI_HOST <server-name>
scan [HTTP::host] %\[^.\].%\[^.\].%\[^.\].%\[^.\].%s REPO APP ENV DOMAIN TLD
HTTP::uri /artifactory/api/docker/$REPO[HTTP::uri]
HTTP::header insert X-Forwarded-Proto "$ARTI_PROTO"
HTTP::header insert X-JFrog-Override-Base-Url $ARTI_PROTO://$ARTI_HOST
}
}

 

The Port method:

To configure F5's BIG-IP in order to work with Artifactory as a Docker registry with the Port method and HTTPS connection, it will be required to add the following iRule to the F5's BIG-IP Virtual Server configuration:

For Artifactory versions below 7.x:
 

when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/v2/" } {
set ARTI_PROTO https
set ARTI_PORT <port>
set ARTI_HOST <server-name>
HTTP::uri /artifactory/api/docker/<repository-name>[HTTP::uri]
HTTP::header insert X-Forwarded-Proto $ARTI_PROTO
HTTP::header insert X-Forwarded-Port $ARTI_PORT
HTTP::header insert X-Artifactory-Override-Base-Url $ARTI_PROTO://$ARTI_HOST:$ARTI_PORT/artifactory
}
}

 

For Artifactory versions 7.x and above:
 

when HTTP_REQUEST {
if {[HTTP::uri] starts_with "/v2/" } {
set ARTI_PROTO https
set ARTI_PORT <port>
set ARTI_HOST<server-name>
HTTP::uri /artifactory/api/docker/<repository-name>[HTTP::uri]
HTTP::header insert X-Forwarded-Proto $ARTI_PROTO
HTTP::header insert X-Forwarded-Port $ARTI_PORT
HTTP::header insert X-JFrog-Override-Base-Url $ARTI_PROTO://$ARTI_HOST:$ARTI_PORT
}
}

*Please refer to our wiki page about Getting Started with Artifactory as a Docker Registry for more information.