Using the latest version?
JFrog Platform User Guide


Skip to end of metadata
Go to start of metadata

Overview

In many cases, an organization may provide access to Artifactory through a reverse proxy such asNGINXorApache. In some cases, for example with Docker, this set up is even mandatory. To simplify configuring a reverse proxy, from version 4.3.1, Artifactory provides aReverse Proxy Configuration Generatorscreen in which you can fill in a set of fields to generate the required configuration snippet which you can then download and install directly in the corresponding directory of your reverse proxy server. You can also use theREST APIto manage reverse proxy configuration.

For best security, when usingArtifactory behind a reverse proxy, it must be co-located on the same machine as the webserver, and Artifactoryshould be explicitly and exclusively bound tolocalhost.

We also recommend that you set yourCustom URL Baseto match yourArtifactory Server Name.

Page Contents


Reverse Proxy Settings

To configure a reverse proxy, in theAdminmodule, select配置|HTTP Settingsand execute the following steps in theReverse Proxy Settingspanel:

  • Fill in the fields according to your configuration.
  • Generate the configuration file. You may click the icons in the top right of the screen to view your configuration (which you may copy) or download it as a text file.
  • Place the configuration file in the right place under your reverse proxy server installation and reload the configuration.

Using NGINX? Note these requirements.

To use NGINX as a reverse proxy to work with Docker, you need NGINX v1.3.9 or higher.

The NGINX configuration file should be placed under thesites-enabled目录中。

For more details, please refer toConfiguring NGINX.

Using Apache? Note these requirements.

一些功能在Apache配置supported from Apache HTTP Server v2.4.

To use Apache as your reverse proxy server, make sure you have the following modules installed and activated:

  • proxy_http
  • proxy_ajp
  • rewrite
  • deflate
  • headers
  • proxy_balancer
  • proxy_connect
  • proxy_html
  • ssl
  • lbmethod_byrequests
  • slotmem_shm
  • proxy

Support to generate Apache reverse proxy configuration is available from Artifactory version 4.4.1.

For more details, please refer toConfiguring Apache.

Best practice

When using a reverse proxy, we recommend passing it theX-Artifactory-Override-Base-Urlheader as follows:

For NGINX:

proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$:/

              

For Apache:

RewriteCond %{REQUEST_SCHEME} (.*)
RewriteRule (. *), (E = my_scheme: % 1)
[...]
RequestHeader set X-Artifactory-Override-Base-Url %{my_scheme}e:///


reverse proxy settings

Web Server Type

The reverse proxy type. Currently NGINX and Apache are supported.

Selecting Embedded Tomcat actually means that you are accessing Artifactory as a Docker registry using the Repository Path method, so the Tomcat embedded within Artifactory is routing requests from your Docker client to your Artifactory Docker registries.

Artifactory Server Name
The internal server name for Artifactory. If Artifactory is installed on the same machine asthe Web Server(as urged above for best security) you can uselocalhost. Otherwise use theIP addressor themachine name.
Artifactory Port
The port configured for Artifactory. The default value is 8081.
Artifactory Context Path
The path which will be used to access Artifactory. If Artifactory is accessible at the root of the server, leave this field empty.
Balance Members (Apache)
Upstream Name (NGINX)

Only available in an Artifactory HA installation. Defines the group of servers in the HA cluster for load balancing. (default: artifactory).

For more details, please refer to theNGINX documentationorApache documentationaccordingly.

Multiple Artifactory instances under the same domain

If using multiple Artifactory instances under the same domain, e.g.artdev.mycompany.organdartprod.mycompany.orgyou must assign a different names for balance members / upstream name to each cluster configuration since the session cookies will be available to both clusters and can cause an issue if trying to access both clusters in the same time.

Public Server Name
The server name which will be publicly used to access Artifactory within the organization.
Public Context Path
The path which will be publicly used to access Artifactory. If Artifactory is accessible on the root of the server leave this field empty.

You can configure access to Artifactory via HTTP, HTTPS or both (at least one is required). For each of these check boxes that you set, you need to fill in the corresponding fields as follows:

Use HTTP
When set, Artifactory will be accessible via HTTP at the corresponding port that is set.
HTTP Port
The port for access via HTTP. The default value is 80.
Use HTTPS
When set, Artifactory will be accessible via HTTPS at the corresponding port that is set.
HTTPS Port
The port for access via HTTPS. The default value is 443.
SSL Key Path
The full path to the key file for access via HTTPS.
SSL Certificate Path
The full path to the certificate file for access via HTTPS.

Docker Reverse Proxy Settings

When using Artifactory as an on-prem private Docker registry, the Docker client can access Artifactory through a reverse proxy or directly through Artifactory's embedded Tomcat.

JFrog Artifactory SaaS Docker Registries

Note that accessing an Artifactory Docker registry on a JFrog Artifactory SaaS installation does not use a reverse proxy since it is external to your organization.

Using a Reverse Proxy

The Docker client can access Artifactory through a reverse proxy using theSubdomain method(recommended) or through thePorts method.

For each of these methods, your Docker repositories must be configured with the corresponding Reverse Proxy settings in theDocker Repository ConfigurationAdvancedtab.TheReverse Proxy Configurationscreen also sets up your Docker Repository configuration.

Configuring Artifactory as your Docker Registry

This section describes how to obtain your reverse proxy configuration according wether you are using the subdomain method or port bindings. For full details on configuring Artifactory as a Docker registry using a reverse proxy, please refer toUsing a Reverse ProxyinGetting Started with Artifactory as a Docker Registry.

Using Subdomain

If you selectSubdomainas theReverse Proxy Method, when configuring a Docker Repository, theRegistry Namein theDocker Repository ConfigurationAdvancedtab will be set automatically to the required value, and will use theRepository Keyas theSubdomain.

Wildcard certificate

Using theSubdomainmethod requires aWildcardcertificate such as.*.myservername.org. You also need to ensure that the certificate you use supports the number of levels used in your subdomain.

Docker Settings in HTTP Settings Corresponding HTTP Settings in Docker Repository Advanced Configuration

Docker Settings in Reverse Proxy Configuration Sub domain Method

Using Port Bindings

If you selectPortas theReverse Proxy Method, when configuring a Docker Repository, you will need to set theRegistry Portin theDocker Repository ConfigurationAdvancedtab. Together with thePublic Server Name, this is the port the Docker client will use to pull images from and push images to the repository. Note that in order for all of your Docker repositories to be included in your reverse proxy configuration, you first you need to set the port for each Docker repository defined in your system, and only then generate the reverse proxy configuration. Note also that each repository must be bound to a unique port

Best Practice

We recommend creating aDocker Virtual Repositorywhich aggregates all of your other Docker repositories, and use that to pull andpush images. This way you only need to set up the NGINX configuration for that virtual repository.

Docker Settings in HTTP Settings Corresponding HTTP Settings in Docker Repository Advanced Configuration



Using Direct Access

To access your Docker repositorieswithout using a reverse proxy, you should select Repository Path as the Docker Access Method in the Docker Setting Panel of the HTTP Settings screen.

Docker Settings in HTTP Settings Corresponding HTTP Settings in Docker Repository Advanced Configuration



REST API

Artifactory also supports managing reverse proxy configuration through the REST API using the following endpoints:

Get Reverse Proxy Configuration
Retrieves the reverse proxy configuration JSON.
Update Reverse Proxy Configuration
Updates the reverse proxy configuration.
Get Reverse Proxy Snippet
Gets the reverse proxy configuration snippet in text format.







  • No labels