Below are the stages required to create a private Docker registry using Artifactory Pro 5.x with an nginx-based reverse-proxy. The final stage is the configuration needed for a docker client to use the new registry. This requires Artifactory Pro (5 or greater) as Artifactory OSS does not allow creating Docker repos.
Stages
- Create a Docker Repo in Artifactory
- Create an OpenSSL Wildcard Certificate
- Create a Nginx Reverse-Proxy Config File
- Install Nginx
- Configure Nginx as a Reverse-Proxy
- Configure a Docker Client to Access the Private Registry
Create a simple Docker V2 repo in Artifactory Pro, accepting the defaults. Perform these steps in the Artifactory Pro web gui.
-
Log into the Artifactory Pro web-gui using the Admin account
-
Navigate to local repos
Admin -> Repositories -> Local
-
Click "(+) New" to create a new local repo
-
From the available "Package Types" choose "docker"
-
Enter a "Repository Key"
Note: This will become the repository name at the end of the Artifactory repo URL, e.g.
http://artifactoryhost.mydomain.com/artifactory/docker-repo-name *... and the corresponding docker registry sub-domain* https://docker-repo-name.artifactoryhost.mydomain.com/image:tag -
Accept all defaults and click the Save & Finish button
While a CA-issued SSL cert would be ideal, this step is for creating a self-signed one. These steps should be executed on the Artifactory Pro host via the Linux command line.
-
Create the OpenSSL self-signed certificate and key files:
sudo openssl req\ -x509\ -nodes -days 3650\ -newkey rsa:2048\ -keyout /etc/ssl/private/nginx-selfsigned.key\ -out /etc/ssl/certs/nginx-selfsigned.crt
-
Create a Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Generate a reverse-proxy config for nginx using the Artifactory Pro Proxy Configuration Generator and the SSL files created in Stage 2.
-
Log into the Artifactory Pro web gui as an Admin.
-
Navigate to:
Admin -> Configuration -> Reverse Proxy
-
Fill out the "Reverse Proxy Configuration" form:
Server Provider:
nginx(drop-down)Internal Hostname*:
artifactoryhost.mydomain.comInternal Port*:
8081(default)Internal Context Path:
artifactory(default)[x] Use HTTP
HTTP Port *:
80[x] Use HTTPS
HTTPS Port *:
443SSL Key Path *
/etc/ssl/private/nginx-selfsigned.key
SSL Certificate Path *
/etc/ssl/certs/nginx-selfsigned.crt
Docker Reverse Proxy Settings
Reverse Proxy Method:
Sub DomainServer Name Expression:
*.artifactoryhost.mydomain.com -
Click the "Save" button
-
Click "Download" (upper left corner) to get the
artifactory.conffile for nginx.
Note: This is for RHEL7, repos for other Linux distributions can be found in the nginx wiki
-
Install the nginx repo
-
Create /etc/yum.repos.d/nginx.repo
[nginx] name=nginx repo baseurl=https://nginx.org/packages/rhel/7/x86_64/ gpgcheck=0 enabled=1 proxy=http://proxy.mydomain.com:8080
-
Install nginx
yum install nginx
-
Back up/delete the nginx default config:
sudo cp -v /etc/nginx/conf.d/{default.conf,default.conf.orig} -
Copy the
artifactory.conffile downloaded in Stage 3 to /etc/nginx/conf.d/ on the Artifactory host:Sample
artifactory.conf########################################################### ## this configuration was generated by JFrog Artifactory ## ########################################################### ## add ssl entries when https has been set in config ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_session_cache shared:SSL:1m; ssl_prefer_server_ciphers on; ## server configuration server { listen 443 ssl; listen 80 ; server_name ~(?<repo>.+)\.artifactoryhost.mydomain.com artifactoryhost.mydomain.com; if ($http_x_forwarded_proto = '') { set $http_x_forwarded_proto $scheme; } ## Application specific logs ## access_log /var/log/nginx/artifactoryhost.mydomain.com-access.log timing; ## error_log /var/log/nginx/artifactoryhost.mydomain.com-error.log; rewrite ^/$ /artifactory/webapp/ redirect; rewrite ^/artifactory/?(/webapp)?$ /artifactory/webapp/ redirect; rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2; chunked_transfer_encoding on; client_max_body_size 0; location /artifactory/ { proxy_read_timeout 900; proxy_pass_header Server; proxy_cookie_path ~*^/.* /; if ( $request_uri ~ ^/artifactory/(.*)$ ) { proxy_pass http://artifactoryhost.mydomain.com:8081/artifactory/$1; } proxy_pass http://artifactoryhost.mydomain.com:8081/artifactory/; proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host:$server_port/artifactory; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
-
Create a new file - /etc/nginx/conf.d/ssl.conf
server { listen 443 http2 ssl; listen [::]:443 http2 ssl; server_name server_IP_address; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; }
-
Restart nginx
systemctl restart nginx
-
Securely transfer the
nginx-selfsigned.crtfile to the Docker client host -
Copy it to
/etc/pki/ca-trust/source/anchors/with a new name:RHEL7 example (other examples):
sudo cp -v nginx-selfsigned.crt /etc/pki/ca-trust/source/anchors/docker-repo-name.artifactoryhost.mydomain.com.crt
-
Update CA Trust
sudo update-ca-trust
-
Add the new docker registry subdomain to /etc/hosts (or ask your network admin to update DNS):
sudo echo "10.10.10.10 docker-repo-name.artifactoryhost.mydomain.com.crt" >> /etc/hosts
-
Optional: Add your new private docker registry to docker's proxy excludes
[Service] Environment="HTTP_PROXY=http://proxy.mydomain.com:8080/" "HTTPS_PROXY=http://proxy.mydomain.com:8080/" "NO_PROXY=localhost,127.0.0.1,*.mydomain.com,*.mydomain.com,docker-repo-name.artifactoryhost.mydomain.com"
-
Reload systemd daemon configs:
systemctl deamon-reload -
Restart docker:
systemctl restart docker
Test the new docker repo via a pull or push from the docker client:
docker push docker-repo-name.artifactoryhost.mydomain.com/myimage:tag