Traefik reverse proxy rewrite rules for jFrog Artifactory Docker registry

_README.md

Artifactory proxied by Traefik

About

Due to lake of documentation on that topic this is a Gist to configure reverse proxy properly.

Traefik is not officialy supported by jFrog as reverse proxy for Artifactory.

Keep in mind that the minimum licence level jFrog Artifactory Pro to enable Docker registry feature.

Consult docker-compose logs proxy to check if rewrite is working as expected

Prerequisites

You must create a repository named docker-login in Artifactory to apply the following conf. This repository must be at least readable by Anonymous user and is requiered for auth.

Values to be changed

• conf.toml :
  • <server-cert-name> must be replaced by the name of your server certificate file
• docker-compose.yml :
  • ${URL} is the URL of Artifactory's virtual host
  • ${COMPOSE_PROJECT_NAME}must be set before invocation of docker-compose

References

jFrog blog : https://jfrog.com/knowledge-base/how-do-i-access-multiple-artifactory-docker-repositories-from-a-single-url/

conf.toml

################################################################
# Global Traefik configuration
################################################################
defaultEntryPoints = ["https","http"]

################################################################
# Web configuration backend
################################################################
[web]
  address = ":8080"

################################################################
# Entrypoint configuration
################################################################
[entryPoints]
  [entryPoints.http]
    address = ":80"
    compress = true
    [entryPoints.http.redirect]
      entryPoint = "https"

  [entryPoints.https]
    address = ":443"
    compress = true
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "cert/<server-cert-name>.cer"
      keyFile = "cert/<server-cert-name>.key"

################################################################
# Docker configuration backend
################################################################

# Enable Docker configuration backend.
[docker]
  endpoint = "unix:///var/run/docker.sock"
  domain = "<domain-name>"
  watch = true
  exposedbydefault = false
  usebindportip = true
  swarmmode = false

docker-compose.yml

version: '3'

services:
  proxy:
    image: traefik
    command: [ "--api", "--docker", "--logLevel=DEBUG" ]
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/conf.toml:/traefik.toml:ro
      - ./traefik/cert:/cert:ro
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    labels:
      traefik.enable: "false"
    networks:
      - proxy
      
  artifactory:
    image: docker.bintray.io/jfrog/artifactory-pro
    restart: unless-stopped
    volumes:
      - artifactory-data:/var/opt/jfrog/artifactory:rw
    labels:
      traefik.enable: "true"
      traefik.port: "8081"
      traefik.docker.network: "${COMPOSE_PROJECT_NAME}_proxy"
      traefik.artifactory-ihm.frontend.rule: "Host:${URL}"
      traefik.artifactory-ihm.frontend.priority: 1
      traefik.artifactory-docker-root.frontend.rule:  "Host:${URL};PathPrefix:/v2/;ReplacePathRegex:^/v2/([a-zA-Z0-9-_]+)/(.*)$$ /artifactory/api/docker/$$1/v2/$$2"
      traefik.artifactory-docker-root.frontend.priority: 10
      traefik.artifactory-docker-login.frontend.rule: "Host:${URL};Path:/v2/;ReplacePathRegex:^/v2/$$ /artifactory/api/docker/docker-login/v2/"
      traefik.artifactory-docker-login.frontend.priority: 20
      traefik.artifactory-docker-token.frontend.rule: "Host:${URL};Path:/v2/token;ReplacePathRegex:^/v2/token$$ /artifactory/api/docker/docker-login/v2/token"
      traefik.artifactory-docker-token.frontend.priority: 20
    networks:
      - proxy
      
networks:
  proxy:
    driver: bridge
    
volumes:
  artifactory-data:

👍