Skip to content

Instantly share code, notes, and snippets.

@kekru

kekru/01-nginx-serve-artifactory-unauthenticated.md

Last active October 1, 2024 15:42
Show Gist options
  • Save kekru/e60d4844d595117c1d5b93b744907fd1 to your computer and use it in GitHub Desktop.
Save kekru/e60d4844d595117c1d5b93b744907fd1 to your computer and use it in GitHub Desktop.
Download ZIP
nginx: Serve a file from Artifactory without login
Raw
01-nginx-serve-artifactory-unauthenticated.md

nginx: serve a file from Artifactory without authentication

With the following nginx config you can expose a single file from Artifactory without need to authenticate.
Be sure that you only expose the files that are allowed to be public

I dont't recommend to run this nginx in the public internet. Run it only inside your company's firewall!
No warranty, that is totally safe.

nginx config

The file is exposed using proxy pass. There must be an Artifactory token, which will be send from nginx to Artifactory.
The proxy_hide_header headers make sure, that there is no Cookie sent to the user, which belongs to the Artifactory token.
The caching is recommended to decrease the load on Artifactory.
The mime type mapping using $custom_content_type is optional, if you need to correct your Content-Type headers, sent to the user.

You can also mount the token via a secret:

nginx.conf

server {
  include /secrets/secret.txt;
  ...
  proxy_set_header X-JFrog-Art-Api "$AuthValue;"
}

secret.txt

set $AuthValue "AKsomething123456789";
Raw
nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
default_type application/octet-stream;
include /etc/nginx/sites-enabled/*.conf;
map $uri $custom_content_type {
default $http_content_type;
~(.*\.svg)$ "image/svg+xml";
~(.*\.html)$ "text/html";
~(.*\.js)$ "text/javascript";
}
# for caching see https://www.nginx.com/blog/nginx-caching-guide/
proxy_cache_path /tmp/proxy_cache levels=1:2 keys_zone=artifactory_cache:5m max_size=2g inactive=20m use_temp_path=off;
server {
listen 80 default_server;
location /something.txt {
proxy_cache artifactory_cache;
proxy_cache_lock on;
proxy_cache_valid 200 301 302 10m;
proxy_cache_valid any 10m;
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
proxy_hide_header Content-Disposition;
proxy_hide_header Content-Type;
add_header Content-Type $custom_content_type;
proxy_set_header X-JFrog-Art-Api "AKsomething123456789";
limit_except GET { deny all; }
proxy_pass https://artifactory.example.com/artifactory/some-repo/some/file/on/server.txt;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment