How to configure a reverse proxy for Artifactory Docker repository when using AWS-ELB load balancer?

Here is a basic example of the configuration file for a NGINX reverse proxy.

Port 80 is used only as a reference in this example. It is the port the AWS-ELB set for Artifactory.

This configuration uses LUA module (the section with it is marked in bold). It is recommended to use it, although it is not mandatory.

server {

    listen 80;

    server_tokens off;

    ####Server name #####

    server_name <my.artifactory.com>;

    client_max_body_size 0;

   ## Application specific logs

   ## access_log /var/log/nginx/my.artifactory.com-access.log;

   ## error_log /var/log/nginx/my.artifactory.com-error.log;

    location ~* ^/(402.htm|500.htm|502.htm|503.htm|503-migrate.htm)$ {

        root /usr/share/nginx/html;

    }

    if ($http_x_forwarded_proto != “https”) {

        rewrite ^/artifactory/webapp/(.*) https://$host/artifactory/webapp/$1 redirect;

        rewrite ^/$ $scheme://$host/artifactory/webapp/#/home redirect;

    }

    if ($http_x_forwarded_proto = “https”) {

        rewrite ^/$ https://$host/artifactory/webapp/#/home redirect;

    }

   #### docker repository name #####

    rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/<docker-repo-name>/$1/$2;

header_filter_by_lua ‘

    local myProto = ngx.var[“http_x_forwarded_proto”]

    if myProto == “https” then

        local locHeader = ngx.header[“Location”]

        if locHeader then

            if type(locHeader) == “string” then

                local location = ngx.re.match(locHeader, “http[s]?://(.*)”, “io”)

                if location then

                    ngx.header[“Location”] = “https://” .. location[1]

                end

            end

        end

    end

‘;


location /artifactory {

        proxy_http_version 1.1;

        proxy_pass http://localhost:8081;

        proxy_intercept_errors on;

        proxy_pass_header Server;

        proxy_connect_timeout 75s;

        proxy_send_timeout 2400s;

        proxy_read_timeout 2400s;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host/artifactory;

    }

}

Comments:

The most important part of this configuration is in the if statements.

Its main purpose is to keep the protocol of the requests which come through the load balancer (in case it is http or if it is https).

if ($http_x_forwarded_proto != “https”) {

        rewrite ^/artifactory/webapp/(.*) https://$host/artifactory/webapp/$1 redirect;

        rewrite ^/$ $scheme://$host/artifactory/webapp/#/home redirect;

    }

    if ($http_x_forwarded_proto = “https”) {

        rewrite ^/$ https://$host/artifactory/webapp/#/home redirect;

    } 

Please note that the rewrite rules also specify the full path of the redirection along with keeping the protocol.

The rewrite rule for the docker repository has not changed from the auth generator configuration file.

For this example, we used a v2 api repository.

In this case, requests which have the pattern of ‘/v2/’ will be redirected to the docker repository.