When installing Artifactory, you’ll be able to start using it as `http://YOUR_DOMAIN:8081/artifactory. To change this to a simpler domain, you can read the following guide. You’ll need to have the following:
Artifactory administrative access
SSH access to the server.
Setting up Reverse Proxy to Simplify Domain
First, SSH into the server and install Apache:
sudo apt install apache2
This should create a default page you can access by hitting the root URL:
While logged in as an admin in Artifactory, access Admin -> HTTP Settings and make the following changes:
After saving, you’ll see the ability to View/Download the configuration on the right side of the page. Download the contents and replace the contents of /etc/apache2/sites-enabled/000-default.conf on the Artifactory server with them.
Restart Apache with sudo systemctl restart apache2.
Now confirm that you can request Artifactory using http://YOUR_DOMAIN.
Setting up SSL using Let’s Encrypt
Now that you can access the domain, let’s secure the domain using Let’s Encrypt.
Use the following to check which version of Linux you’re running: lsb_release -a
Most likely, you’ll be using Ubuntu 18.04, if so, you can use these steps. If not, check out the CertBot page for appropriate directions.
You should be able to generate and configure the cert automatically running the directions above. Assuming this is successful, select to redirect HTTP traffic to HTTPS, removing HTTP access.
Now confirm that you can both:
Access the HTTPS version of your domain above.
When trying to access HTTP, it automatically redirects to HTTPS.
If you’ve lost access to the administrator account in your on-premised Artifactory, this guide will help walk you through setting it back up. You’ll need to have SSH access to the server in order to complete this guide.
To get started, SSH into the server and open$ARTIFACTORY_HOME/etc/security/access/bootstrap.creds. Enter the following information:
access-admin@127.0.0.1=PASSWORD
Now assign read/write permissions:
chmod 600bootstrap.creds
And finally, restart the server.
Once that’s done, make the following POST call while still SSHed into the server:
For setting this up, I’d recommend having at least one Model ready for use. In our case, let’s use a simple example with Entry.cs:
[Key]
public int EntryId { get; set; }
public DateTime Date { get; set; }
public string Content { get; set; }
Now create the Context.cs and ContextFactory.cs files in the Models folder:
using Microsoft.EntityFrameworkCore;
namespace YOUR_NAMESPACE
{
public class Context : DbContext
{
public Context(DbContextOptions<UsawStatsContext> options)
: base(options)
{ }
public DbSet<Entry> MeetResults { get; set; }
}
}
using System;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Design;
namespace YOUR_NAMESPACE
{
public class ContextFactory : IDesignTimeDbContextFactory<Context>
{
public Context CreateDbContext(string[] args)
{
var optionsBuilder = new DbContextOptionsBuilder<Context>();
optionsBuilder.UseSqlServer(Environment.GetEnvironmentVariable("SqlConnectionString"));
return new Context(optionsBuilder.Options);
}
}
}
Now create a Startup.cs file in root:
using System;
using YOUR_NAMESPACE.Models;
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
[assembly: FunctionsStartup(typeof(YOUR_NAMESPACE.Startup))]
namespace YOUR_NAMESPACE
{
class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
string SqlConnection =
Environment.GetEnvironmentVariable("SqlConnectionString");
builder.Services.AddDbContext<Context>(
options => options.UseSqlServer(SqlConnection)
);
}
}
}
Setting up Database
Finally, you’ll need to set up a database for use. Create the database and use the connection string – let’s use SQL Server locally and set this in the Azure Function project’s local.settings.json:
When setting up Azure CDN, you may want to use a naked domain (yourdomain.com) to access. It’s a little tricky, so here’s how I set it up:
Creation and Verification
Create the CDN profile and endpoint in Azure.
Next set up a custom domain:
To do this, you’ll need to modify the value highlighted as an A record for your domain’s DNS. It will look like this:
Host: cdnverify.<yourdomain>
Value: cdnverify.<endpoint>.azureedge.net
Setting up SSL and HTTPS Redirect
With the domain working, you’ll notice that you only have an insecure connection in place, so let’s set that up.
One of the disadvantages of using a root domain is that you cannot use the Azure CDN self-generated certificates. This means you’ll have to bring your own certificate in. There are three options immediately available:
Purchase a certificiate from Azure (easy and reliable but starts at ~$70)
Purchase a certificate from a reputable CA (Such as from Namecheap, can purchase a cert as low as ~$8 a year, although these certs are not as secure).
Use the manual process at Let’s Encrypt to generate a certificate (free, but will need to be renewed regularly).
Obtaining a Let’s Encrypt Certificate Using Windows
To use the manual process, you’ll need to start with the following:
Install WSL (Ubuntu 18.04) onto your computer, and open a CLI.
Once the certificate is added, set up Custom HTTPS for the endpoint:
Final steps are setting up a service principal for access with the command provided above. (Make sure to use Connect-AzAccount). Once this is done, you’ll need to allow some time (around 6-8 hours) to pass for allowing certificate import and CDN provisioning.
Verification
To make sure everything is in place, first check to ensure the status shows Custom HTTPS being enabled:
Afterwards, try accessing your site using HTTPS to confirm everything working.
Redirecting all non-HTTP/root Traffic
The last step to getting this working is setting anything not going to https://<yourdomain>.com to the correct place. This can be done in the Premium CDN with Verizon plan by changing the traffic rules in the Custom rules engine:
This will take some time to propagate, you’ll know it’s complete when you see “Active XML” next to the rule.
Once this is done, you can validate by trying to access the site using HTTP, and seeing it redirect to HTTPS (make sure to use an Incognito tab if using Chrome).
A storage account (ideally stored in the same resource group) that will hold the log data.
Configuration
Go into Network Watcher and click on ‘NSG Flow Logs’:
Turn on Flow logs, and select the storage account to store logs in. A few notes here:
If retention is kept at 0, all logs will stay in the storage account forever. Useful for audits, but will end up costing more in the long run. (I personally set to 7 days).
I wrote about the ability to add HTTPS to an AKS cluster using Let’s Encrypt, but recently ran into a case where I needed to add a cert from a specific CA to the cluster.
To do this, you need the following:
An AKS cluster deployed in an Azure tenant.
A certificate (should start with —–BEGIN CERTIFICATE—–)
A private key associated to the certificate above (used when creating the CSR for the cert, and will start with —–BEGIN RSA PRIVATE KEY—–)
When working with deploying Azure Function Apps with Jenkins, I ran into an issue when trying to rebuild a Function App from scratch with the same name. I was unable to deploy the codebase via Pipeline due to the following error:
unable to get credential storage lock: File exists
I was able to fix by doing the following:
SSH into the server.
Log in as the user that runs when running a Jenkins job (for example):
sudo su -s /bin/bash jenkins
Access the user’s .git-credentials file, and remove the reference to the pre-existing Function App SCM.
Delete the .git-credentials.lock file.
After doing this, try running the job again and ensure the issue has been solved.
