配置Nginx反向代理后面的Jfrog artifactory,配置Let’s Encrypt SSL
时间:2020-02-23 14:37:53 来源:igfitidea点击:
问题:如何将Jfrog artifactory放在nginx反向代理后面,配置Let’s Encrypt SSL证书?
Jfrog artifactory是一个强大而高级的储存库管理库,旨在与大多数CI/CD工具集成,以确保从开发到生产的软件交付更快。
默认情况下,JFROG artifactory绑定到服务器上的IP地址和端口号,这意味着只能通过IP或者域名和指定端口号访问。
如果我们对安全性敏锐,我们将希望使用反向代理,例如nginx来保护对Jfrog artifactory服务器的访问。
在本教程中,我们将讨论如何配置nginx放在Jfrog artifactory服务器前面。
有jfrog Artifactory Server设置后,继续配置Nginx,让我们将SSL加密为反向代理。
第1步:安装nginx
在要用于反向代理功能的服务器上安装nginx。
这可以是运行artifactory或者其他服务器的同一服务器。
# Install Nginx on CentOS/RHEL $sudo yum -y install nginx # Install Nginx on Fedora $sudo dnf -y install nginx # Install Nginx on Ubuntu/Debian $sudo apt -y install nginx
安装NGINX Web服务器后,启动服务并将其设置为启动系统启动。
sudo systemctl start nginx sudo systemctl enable nginx
第2步:安装Cerbot工具
接下来是安装用于获取Let的Encrypt SSL证书的CERTBOT工具的安装。
下载并安装 certbot-auto命令行工具。
curl -sL https://dl.eff.org/certbot-auto | sudo tee /usr/local/bin/certbot-auto
给脚本执行位。
sudo chmod +x /usr/local/bin/certbot-auto
检查是否工作:
$certbot-auto --version certbot 0.33.1
被要求确认依赖项的安装时,应答"是"。
Dependencies Resolved =========================================================================== Package Arch Version Repository Size =========================================================================== Installing: augeas-libs x86_64 1.4.0-6.el7_6.1 updates 355 k libffi-devel x86_64 3.0.13-18.el7 base 23 k mod_ssl x86_64 1:2.4.6-88.el7.centos base 112 k python-devel x86_64 2.7.5-76.el7 base 398 k python-tools x86_64 2.7.5-76.el7 base 856 k python-virtualenv noarch 15.1.0-2.el7 base 1.7 M python2-pip noarch 8.1.2-8.el7 epel 1.7 M redhat-rpm-config noarch 9.1.0-87.el7.centos base 81 k Installing for dependencies: dwz x86_64 0.11-3.el7 base 99 k libXft x86_64 2.3.2-2.el7 base 58 k libXrender x86_64 0.9.10-1.el7 base 26 k perl-srpm-macros noarch 1-8.el7 base 4.6 k tcl x86_64 1:8.5.13-8.el7 base 1.9 M tix x86_64 1:8.4.3-12.el7 base 254 k tk x86_64 1:8.5.13-6.el7 base 1.4 M tkinter x86_64 2.7.5-76.el7 base 326 k zip x86_64 3.0-11.el7 base 260 k Transaction Summary =========================================================================== Install 8 Packages (+9 Dependent packages) Total download size: 9.5 M Installed size: 26 M Is this ok [y/d/N]: y
第3步:请求Let’s Encrypt SSL认证
我们需要Jfrog Artifactory Server(例如Artifactory.example.com)使用的域或者子域的工作DNS。
我们还需要打开端口 80为了能够获得证书,但只有我们有一个活动防火墙。
# CentOS/Fedora/RHEL
$sudo firewall-cmd --add-service={http,https} --permanent
$sudo firewall-cmd --reload
# Ubuntu/Debian
$sudo ufw allow proto tcp from any to any port 80,443
$sudo ufw status
完成后,Let’s Encrypt 证书:
export DOMAIN="artifactory.example.com" export ALERTS_EMAIL="Hyman@theitroad" sudo systemctl stop nginx sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring
示例
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for artifactory.theitroad.com Waiting for verification… Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/artifactory.theitroad.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/artifactory.theitroad.com/privkey.pem Your cert will expire on 2019-07-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run "certbot-auto renew" Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. If you like Certbot, please consider supporting our work by: Donating to ISRG/Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
第4步:配置nginx
为Jenkins创建一个nginx配置文件。
sudo vim /etc/nginx/conf.d/artifactory.conf
粘贴下面的文件。
server {
listen 80;
server_name artifactory.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name artifactory.example.com;
access_log /var/log/nginx/artifactory.jfrog.com-access.log;
error_log /var/log/nginx/artifactory.jfrog.com-error.log;
ssl_certificate /etc/letsencrypt/live/artifactory.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/artifactory.example.com/privkey.pem;
rewrite ^/$/artifactory/webapp/redirect;
rewrite ^/artifactory/?(/webapp)?$/artifactory/webapp/redirect;
chunked_transfer_encoding on;
client_max_body_size 0;
if ($http_x_forwarded_proto = '') {
set $http_x_forwarded_proto $scheme;
}
location/{
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
if ( $request_uri ~ ^/artifactory/(.*)$) {
proxy_pass http://127.0.0.1:8081/artifactory/;
}
proxy_pass http://127.0.0.1:8081/artifactory/;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
用artifactory服务器域替换Artifactory [Dot] example.com。
完成更改时,验证nginx配置文件。
$nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
如果配置看起来很好,请启动nginx并将其设置为在启动时启动。
sudo systemctl restart nginx sudo systemctl enable nginx
第6步:访问JFROG artifactory Web界面
访问http://artifactory.example.com上的JFrog artifactory Web界面。
我们应该从HTTP到HTTPS重定向到HTTPS。
