Question: How can I put JFrog Artifactory behind Nginx reverse proxy and Let’s Encrypt SSL certificate?. JFrog Artifactory is a powerful and advanced repository manager designed to integrate with the majority of CI/CD tools to ensure quicker delivery of software from Development to Production.
By default, JFrog Artifactory binds to an IP address and port number on a server which means access is only via IP or Domain name and specified port number. If you’re keen on security, you’ll want to use a reverse proxy such as Nginx to secure access to JFrog Artifactory server.
In this guide, we will discuss how you can configure Nginx to sit in front of JFrog Artifactory server. We assume you already have a running Artifactory server before you follow this guide. If by any chance you don’t have one, our guides below will be helpful.
Once you have JFrog Artifactory server setup, proceed to configure Nginx with Let’s Encrypt SSL as reverse proxy to it.
Step 1: Install Nginx proxy / we server
Install Nginx on the server you want to use for reverse proxy functionalities. This can be the same server running Artifactory or a different server.
# Install Nginx on CentOS / RHEL sudo yum -y install nginx # Install Nginx on Fedora sudo dnf -y install nginx # Install Nginx on Ubuntu/Debian sudo apt -y install nginx
Once Nginx web server is installed, start the service and set it to start at system boot.
sudo systemctl start nginx sudo systemctl enable nginx
Step 2: Install Cerbot tool Tool
Next is the installation of Certbot tool that is used to obtain Let’s Encrypt SSL certificate. Download and install
certbot command line tool.
# Ubuntu / Debian sudo apt-get update sudo apt-get install certbot # Fedora sudo dnf install certbot # CentOS / Rocky Linux sudo dnf -y install epel-release sudo yum -y install certbot
Check if working:
$ certbot --version certbot 0.40.0
Step 3: Request for Let’s Encrypt SSL Certiticate
You need a working DNS for the domain or subdomain used by the JFrog Artifactory server, e.g artifactory.example.com.
You also need to open port
80 to be able to get the certificate, but only if you have an active firewall.
# CentOS / Fedora / RHEL sudo firewall-cmd --add-service=http,https --permanent sudo firewall-cmd --reload # Ubuntu / Debian sudo ufw allow proto tcp from any to any port 80,443 sudo ufw status
Once that is done, get Let’s Encrypt Certificate:
export DOMAIN="artifactory.example.com" export ALERTS_EMAIL="[email protected]" # Stop nginx service sudo systemctl stop nginx # Request for Let's Encrypt SSL sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for artifactory.computingpost.com Waiting for verification… Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/artifactory.computingpost.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/artifactory.computingpost.com/privkey.pem Your cert will expire on 2019-07-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run "certbot-auto renew" Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Step 4: Configure Nginx
Create an Nginx configuration file for Jenkins.
sudo vim /etc/nginx/conf.d/artifactory.conf
Paste below to the file.
server listen 80; server_name artifactory.example.com; return 301 https://$host$request_uri; server listen 443 ssl; server_name artifactory.example.com; access_log /var/log/nginx/artifactory.jfrog.com-access.log; error_log /var/log/nginx/artifactory.jfrog.com-error.log; ssl_certificate /etc/letsencrypt/live/artifactory.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/artifactory.example.com/privkey.pem; rewrite ^/$ /artifactory/webapp/ redirect; rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; chunked_transfer_encoding on; client_max_body_size 0; if ($http_x_forwarded_proto = '') set $http_x_forwarded_proto $scheme; location / proxy_read_timeout 900; proxy_pass_header Server; proxy_cookie_path ~*^/.* /; if ( $request_uri ~ ^/artifactory/(.*)$ ) proxy_pass http://127.0.0.1:8081/artifactory/$1; proxy_pass http://127.0.0.1:8081/artifactory/; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Replace artifactory[dot]example.com with your Artifactory server Domain. When done making changes, validate Nginx configuration file.
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If the configuration looks fine, start nginx and set it to start at boot.
sudo systemctl restart nginx sudo systemctl enable nginx
Step 6: Access JFrog Artifactory Web Interface
Access JFrog Artifactory web interface on http://artifactory.example.com.
You should be redirected from http to https.
You have successfully configured Nginx as Reverse proxy to JFrog Artifactory server with Let’s Encrypt SSL certificate.