What should we whitelist for Artifactory when our Docker registry is behind firewalls and proxy servers?

Balaji Satish
2019-07-14 15:37


When we use Artifactory as a Docker registry (which might be behind a firewall and reverse proxy servers to name a few such as Nginx, Apache), we might need to allow access to external hosts as Docker hub uses several hosts and Content Delivery Network to serve the content.


We may allow the traffic to the below hosts:


Note – At the time of writing this article, the above addresses where tested and validated.
As these are not in JFrog's control, these might change in the future.


If we are seeing Docker layer download failures such as "unknown blob" or one of the layers failing to download, we might need to trace the requests by adding the logger in the $ARTIFACTORY_HOME/etc/logback.xml. 
A restart is not required for the changes to take effect.

<appender name="http" class="ch.qos.logback.core.rolling.RollingFileAppender">
<pattern>%date ${artifactory.contextId}[%thread] [%-5p] \(%-20c{3}:%L\) - %m%n</pattern>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">

 <logger name="org.apache.http" additivity="false">
<level value="TRACE"/>
<appender-ref ref="http"/>

By using these loggers we can trace if the requests are reaching the correct endpoint.

Be advised to remove the above-added loggers once the requests are captured, having this running in a production server may cause a performance degradation.

We can also trace the traffic flow to the intended endpoint by having a forward proxy such as Charles.
Please see below screenshot for reference.