HTTP Settings

Reverse Proxy Settings

To configure a reverse proxy, in theAdministrationmodule, selectArtifactory|HTTP Settings.

Add your settings, save and clickDownloadto generateyour reverse proxy snippet.Place the configuration file in the right place under your reverse proxy server installation and reload the configuration.

proxy_set_header X-JFrog-Override-Base-Url $http_x_forwarded_proto://$:

Using a Load Balancer in High Availability Setups

When configuring Artifactory in a High Availability (HA) setup, Artifactory will automatically adjust the provided settings to include a Load Balancing section within the HTTP settings, allowing for proxying more than one Artifactory instance.

Docker Reverse Proxy Settings

When using Artifactory as an on-prem private Docker registry, the Docker client can access Artifactory through a reverse proxy or directly through Artifactory's embedded Tomcat.

Using a Reverse Proxy

The Docker client can access Artifactory through a reverse proxy using theSubdomain Method(recommended) or through thePorts Method.

For each of these methods, your Docker repositories must be configured with the corresponding Reverse Proxy settings in theDocker Repository ConfigurationAdvancedtab.TheReverse Proxy Configurationscreen also sets up your Docker Repository configuration.

Using Subdomain

If you selectSubdomainas theReverse Proxy Method, when configuring a Docker Repository, theRegistry Namein theDocker Repository ConfigurationAdvancedtab will be set automatically to the required value, and will use theRepository Keyas theSubdomain.

Using Port Bindings

If you selectPortas theReverse Proxy Method, when configuring a Docker Repository, you will need to set theRegistry Portin theDocker Repository ConfigurationAdvancedtab. Together with thePublic Server Name, this is the port the Docker client will use to pull images from and push images to the repository. Note that in order for all of your Docker repositories to be included in your reverse proxy configuration, first you need to set the port for each Docker repository defined in your system, and only then generate the reverse proxy configuration. Note also that each repository must be bound to a unique port

Using Direct Access

To access your Docker repositoriesWithout a Reverse Proxy, you should select Repository Path as the Docker Access Method in the Docker Setting Panel of the HTTP Settings screen.

Configuring a Reverse Proxy to Support mTLS

From Artifactory release 7.38.4, you can also authenticate users usingmTLS. To do so will require a reverse proxy and some setup on the front reverse proxy (Nginx).

Configure the Nginx Proxy for Self-hosted Customers

To configure the Nginx proxy, you will need to set this configuration in theNginx configuration file, and to set the Platform configuration via thesystem.yamlfile. SeeConfiguring Nginxfor details.

1. Set up mTLS by providing a trusted certificate for the JFrog Platform to trust. The trusted certificate can be either the actual client certificate to trust or a CA certificate - to trust any certificate signed by it (preferred).
2. Then, use the client certificates to authenticate API requests with the JFrog Platform (requests from untrusted client certificates will be blocked).

3. You will be able to revoke certificates by revoking (removing) the provided trusted certificate(s). You can also revoke a specific client certificate without requiring revoking the trusted CA certificate using the OCSP protocol.
   

   You will be able to revoke certificates byrevoking (removing) the provided trusted certificate(s). You can also revoke a specific client certificate without requiring revoking the trusted CA certificate.

Setting up mTLS Verification and Certificate Termination on the Reverse Proxy

Setting up mTLS requires you to first set up mTLS verification and certificate termination on your reverse proxy.For example, usingNginxshould include something like this:

ssl_verify_client optional; ssl_verify_depth 2; ssl_client_certificate /path/to/client-ca.crt; ... proxy_set_header X-JFrog-Client-Cert ""; proxy_set_header X-JFrog-Client-Cert $ssl_client_escaped_cert;

The reverse proxy should be responsible (by configuration) for:

• Always removing the custom header from all incoming requests, to prevent a malicious user from adding such header on their own, tricking the platform to accept the header as an authentication and authorization mechanism
• Addingto the request thecustom headerwith the client certificateonly for requests that were successfully mTLS-verified

After setting your reverse proxy, when a request is performed with mTLS, upon successful verification, the reverse proxy must add a custom header with the client certificate in PEM format (refer to theproxy_set_header X-JFrog-Client-Certin the code example above).

Note that you can also set up yourown custom headerinstead ofX-JFrog-Client-Cert.If you choose to do so, you will need to set the same header via theheader-namein thesystem.yamlfile (see configuration example below) for the JFrog Platform to use the same header.

Support User Identity Extraction for Request Authorization

You will be able to use your client certificate to authenticate and authorize requests in the JFrog Platform, without the need to send additional credentials, as long as the client certificate embeds the user identity.

为客户authenticat支持基于用户访问ing with mTLS, you can have your certificate contain a username, and the JFrog Platform will only allow access to resources to which that user has permissions.

For example, your certificate's subject might look something like this, whereby Subject: C=IL, L=Netanya, O=Maldin, OU=DO, CN=myuser@www.si-fil.com, and where the username you are after is "myuser" from the Subject's CN. In this case, you can set theAccess YAML Configurationto look something like this:

security: authentication: mtls: # Mutual-TLS authentication configuration enabled: true # if true then mTLS is enabled extraction-regex: [^@]+(?=\d{0,}@) # regular expression used to extract the username from the certificate's subject CN

You can also set your regular expression to be what ever you need, in order to parse the username as it is defined in the JFrog Platform from the subject’s CN attribute.

Reverse Proxy to Support mTLS Flow

1. The client sends a request to the JFrog Platform.
2. Ifthe request includes a client certificate:
   1. The JFrog Platform will authenticate the client certificate using the configured trusted certificates and verify that the certificate has not been revoked. If the client certificate is authenticated successfully,the procedure will continue; otherwise it is blocked.

   2. The JFrog Platform will then try to extract the user identity from the client certificate.
      If the user identity was extracted successfully, the procedure will continue; otherwise it will fall back to relying on additional user authentication information (e.g., basic credentials, bearer token).
      

      If the JFrog Platform is configured to require client certificates, then the request will be blocked; otherwise it will continue with the existing authorization mechanisms without mTLS.

REST API

Artifactoryalso supports managing reverse proxy configuration through the REST API using the following endpoints: