JFrog Artifactory 系列2 --- Nginx与Https

一、概念

1. 承上启下

JFrog Artifactory 系列1 --- 安装与配置

2. 配置方式

如果希望通过Https访问JFrog Artifactory，有三种配置方式：

(1) 代理HTTPS方式：在代理软件(负载均衡软件)处配置TLS，代理软件与JFrog Artifactory的通信采用Http方式；

(2) 全HTTPS方式：在代理软件(负载均衡软件)和Artifactory处均配置TLS，代理软件与JFrog Artifactory的通信采用Https方式；

本文采用第一种配置方式。

3. 注意

配置Artifactory使用HTTPS，需要使用正规的证书。如果使用自签名的证书则会导致Maven因证书校验失败导致访问(上传和下载)Artifactory失败。虽然，这种证书校验失败可以在本地得到解决，但这需要所有的客户端参与，需要权衡其利弊。

如果是在内网环境下使用Artifactory，可以考虑使用HTTP的方式。

二、Nginx + Https

1. Nginx的安装

参考

2. Nginx的配置

(1) 创建配置文件

sudo vi /etc/nginx/conf.d/artifactory.conf

(2) 初始化配置文件

server {
    listen 80;
    server_name artifactory.example.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    server_name .artifactory.example.com;

    if ($http_x_forwarded_proto = '') {
        set $http_x_forwarded_proto  $scheme;
    }

    ssl_certificate /etc/nginx/ssl/artifactory.example.com.crt.pem;
    ssl_certificate_key /etc/nginx/ssl/artifactory.example.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:1m;
    ssl_session_tickets on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/artifactory.example.com-access.log timing;
    error_log /var/log/nginx/artifactory.example.com-error.log;
    
    rewrite ^/$ /ui/ redirect;
    rewrite ^/ui$ /ui/ redirect;
    chunked_transfer_encoding on;
    client_max_body_size 0;
    
    location / {
        proxy_read_timeout  2400s;
        proxy_pass_header   Server;
        proxy_cookie_path   ~*^/.* /;
        proxy_pass          http://<artifactory-ip>:8082;
        proxy_next_upstream error timeout non_idempotent;
        proxy_next_upstream_tries    1;
        proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
        proxy_set_header    X-Forwarded-Port  $server_port;
        proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_set_header    Host              $http_host;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

        location ~ ^/artifactory/ {
            proxy_pass    http://<artifactory-ip>:8081;
        }
    }
}

(3) 创建证书和密钥

参考

(4) 开放端口并启动服务

参考

3. 测试

访问 https://artifactory.example.com

4. BsseUrl

BaseURL是用于生成制品URL的前缀，配置的地方在"Administration->General->Settings"页面：

三、Nginx + Http

1. Nginx的配置

(1) 创建配置文件

sudo vi /etc/nginx/conf.d/artifactory.conf

(2) 初始化配置文件

server {
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    listen 80;
    server_name .artifactory.example.com;

    if ($http_x_forwarded_proto = '') {
        set $http_x_forwarded_proto  $scheme;
    }

    ## ssl_certificate /etc/nginx/ssl/artifactory.example.com.crt.pem;
    ## ssl_certificate_key /etc/nginx/ssl/artifactory.example.com.key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:1m;
    ssl_session_tickets on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/artifactory.example.com-access.log timing;
    error_log /var/log/nginx/artifactory.example.com-error.log;
    
    rewrite ^/$ /ui/ redirect;
    rewrite ^/ui$ /ui/ redirect;
    chunked_transfer_encoding on;
    client_max_body_size 0;
    
    location / {
        proxy_read_timeout  2400s;
        proxy_pass_header   Server;
        proxy_cookie_path   ~*^/.* /;
        proxy_pass          http://<artifactory-ip>:8082;
        proxy_next_upstream error timeout non_idempotent;
        proxy_next_upstream_tries    1;
        proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
        proxy_set_header    X-Forwarded-Port  $server_port;
        proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_set_header    Host              $http_host;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;

        location ~ ^/artifactory/ {
            proxy_pass    http://<artifactory-ip>:8081;
        }
    }
}

四、参考

1. 官方

https://jfrog.com/help/r/jfrog-artifactory-documentation/http-settings

https://jfrog.com/help/r/jfrog-artifactory-documentation/configuring-nginx

https://jfrog.com/knowledge-base/artifactory-how-to-enable-tls-within-the-jfrog-platform/