How to redirect traffic from 8081 to 443

Summary

How to set up an Nginx to redirect traffic to HTTPS only.

Description

SSL encryption is a requirement in many organizations. Artifactory by default uses HTTP port 8081 to serve traffic, which means initially CI pipelines and other dev tools will be configured to use this port.

Rather than change all the tools when the switch to HTTPS becomes mandatory, an Nginx reverse proxy can be used to redirect the traffic while also serving as an HTTPS endpoint.

Resolution

Prerequisites:

– An Nginx server installed on the Artifactory host
– Signed SSL Certificates (Optional)

1. Change Artifactory’s Tomcat port from 8081 to 8000

vim /var/opt/jfrog/artifactory/tomcat/conf/server.xml

        <Connector port="8081" sendReasonPhrase="true"/>
<!– To: →
        <Connector port="8000" sendReasonPhrase="true"/>

2. Add the following server block to your Nginx configuration:

server {
    #Listen for the Artifactory port
    listen 8081  default_server;
    server_name _;

    #Redirect to HTTPS
    return 301 https://$host:443$request_uri;
}

## add ssl entries when https has been set in config
## You can add a self signed certificate in here, but this returns errors
## for most browsers and clients

ssl_certificate      /etc/nginx/certs/domain.crt; 
ssl_certificate_key  /etc/nginx/certs/domain.key;
ssl_session_cache shared:SSL:1m;

## If you have configured Nginx to work with Docker,
## please follow the steps outlined in step 2A

server {
    listen 443 ssl;
    server_name _;
    location / {
        proxy_pass          http://localhost:8000/;
    }
}

2A. If you have set up Nginx to work with Docker, the 443 block will already be available.

Instead you need to modify any proxy_pass lines in the 443 section of the Nginx configuration to go to port 8000, not 8081:

proxy_pass http://localhost:8000/artifactory;

4. Restart Artifactory first

5. Restart Nginx

This will cause the Nginx to redirect traffic to port 443, which then forwards the traffic to port 8000 on the back end. Once you've verified this setup is correct, you can use iptables to block port 8000 from external traffic.

You must use a separate port for Artifactory; Nginx and Artifactory cannot occupy the same port at the same time. 

These actions need to be done during a maintenance window, as during the restart procedure traffic to Artifactory will fail.