Configuration by Package Type

Set SASE intercept hostnames, redirect methods, and client trust for npm, PyPI, Docker, and Hugging Face when routing public registry traffic through JFrog Artifactory.

Public Registry Hostnames

This is the common hostname reference shared by every SASE provider's intercept rule, regardless of vendor. Add every HTTPS hostname your clients use for the package types you have enabled in Artifactory (Package Reroute remote repositories). Confirm the defaults below with TLS/SNI captures, package-manager docs, or your SASE provider's logs. Corporate mirrors and private edge caches use different hosts. Scope must stay aligned with Supported Package Types (GA) and your entitlements.

Package ecosystemCommon HTTPS hostnamesNotes
npmregistry.npmjs.org, registry.npmjs.com, registry.yarnpkg.comregistry.npmjs.org is the default; registry.npmjs.com is also a valid registry host. Yarn (classic) and some installs still resolve the default registry via registry.yarnpkg.com—include it when Yarn is in scope alongside npm.
Python (PyPI)pypi.org, files.pythonhosted.orgpip, Poetry, and uv often use both; include each you see in traffic.
Docker (e.g. Docker Hub)registry-1.docker.io, index.docker.ioauth.docker.io is often redundant for routine image pulls (many environments never need it in the category); adding it does not hurt if you prefer a broader list or see auth-related misses in your SASE provider's logs. GHCR, Quay, ECR, Artifactory-on-prem registries, and so on each need their hostnames added when those clients are in scope.
Hugging Facehuggingface.coSome clients use additional CDN-style hosts; extend the list if logs show misses.
RubyGemsrubygems.org, api.rubygems.orgrubygems.org handles package downloads; api.rubygems.org is used for gem metadata lookups. Include both.
Cargo (Rust)crates.io, index.crates.io, static.crates.ioindex.crates.io serves the sparse registry index (Cargo 1.68+); static.crates.io serves crate downloads via CDN. Include all three.

This list is not exhaustive. Public registry and CDN hostnames can change, so re-verify when upgrading clients or changing regions.

Ecosystem Overview

SASE intercept rules, SSL inspection, Artifactory remote repository layout, and client trust differ per ecosystem. This page summarizes npm and Python (PyPI) in detail and points to other topics for Docker and Hugging Face. It does not replace scripts/README.md for OS-specific variables, client versions, and tests—use that README as the source of truth for workstation configuration.

Configure each ecosystem you enable:

SASE: Patterns for Every Ecosystem

Important — Request method selection: The HTTP methods to include and exclude in the redirect rule differ per package ecosystem. Using the wrong methods (for example, redirecting POST) will break specific CLI commands. Configure methods exactly as specified in the npm and Python (PyPI) tables.


npm Configuration

Intercept Settings for npm

SettingValue
URL to addregistry.npmjs.org (also registry.npmjs.com and registry.yarnpkg.com; see Public Registry Hostnames)
Request MethodsGET and HEAD only
Excluded MethodsPOST (must NOT be selected)

Why POST Must Be Excluded for npm

The npm audit command sends POST requests to registry.npmjs.org. If POST requests are included in the redirect rule, npm audit is redirected to Artifactory, which will fail because:

  • npm audit expects a specific response format from the registry
  • npm expects an HTTP 307 redirect to properly forward a POST request (preserving the method and body)
  • Some SASE solutions (for example, Zscaler) return an HTTP 302 for POST requests, which causes the npm client to drop the POST body and fail

By excluding POST from the redirect rule, npm audit traffic passes through your SASE directly to registry.npmjs.org without interception, allowing it to function normally.

Commands Affected by Method Exclusion for npm

CommandHTTP MethodRedirected?Notes
npm install <package>GETYesPrimary use case
npm view <package>GETYesPackage metadata
npm auditPOSTNoPasses through to public registry
npm publishPUTNoNot redirected
npm loginGETNoWeb login fails — see npm login and publish caveat

npm Login and Publish Caveat

For users who need to log in and publish packages to the public npm registry (not Artifactory): npm publish works because PUT requests are not redirected. Default npm login (web login) fails because the SASE intercepts a GET in the login flow.

Workarounds:

  • Option 1: Add a token directly in .npmrc using npm config set (local config only) — works
  • Option 2: Use legacy login: npm login --auth-type legacy — works
  • Avoid: Default npm login (web login) — fails

Anonymous access (npm)

Anonymous permissions and the SASE redirect (no end-user Artifactory token) are covered in Step 4: Configure Anonymous Access, Repository Architecture, and the Overview (public packages / private packages behavior). No extra npm-specific anonymous rules here.

Testing (npm)

To verify npm traffic through PTC:

  1. Redirect: Run npm install express --loglevel verbose (or another public package) with SASE redirect rules active. In the output, confirm GET requests go to your Artifactory hostname / npm remote repository API path after the redirect, not only to the public registry.
  2. Artifactory: In the UI, confirm express (and deps) appear in the npm remote cache (e.g. npm-remote-registry).
  3. Curation (optional): Curation > Audit shows an Approved entry for the package when Curation is enabled.
  4. Blocked package (optional): npm install <blocked-package> should fail with a policy violation when blocking policies apply.
  5. POST passthrough: npm audit should still reach the public registry (POST not redirected).

npm installs through PTC are verified when GET traffic reaches Artifactory and npm audit still works.


Python PyPI Configuration

Intercept Settings for Python

SettingValue
URLs to addpypi.org, files.pythonhosted.org (both are common; confirm in your traffic — see Public Registry Hostnames)
Request MethodsStart with GET and HEAD only on the redirect rule, same discipline as npm
Excluded MethodsPOST off the redirect unless you have explicitly validated a tool that must be redirected via POST (unusual for simple pip install / uv pip install)

pip, Poetry, and uv mostly use GET for Simple API metadata and artifact downloads, but ecosystem tools evolve—if a command fails after enabling the redirect, inspect method and host in your SASE and adjust the rule or category.

Trust Stores and Clients for Python

Use scripts/README.md for REQUESTS_CA_BUNDLE, UV_NATIVE_TLS, SSL_CERT_FILE, and version-specific notes for pip, Poetry, and uv. The SASE trust-store guidance linked from Prerequisites also applies.

Strict SSL Certificate Validation in Python Tools

Python-based package tools use Python's built-in ssl module for HTTPS connections, which requires certificates to be RFC 5280 compliant. If your SASE provider uses an older certificate that doesn't meet these requirements, some Python-based tools may encounter TLS errors.

This is not tied to a specific Python version — it depends on the combination of the certificate in use and the OpenSSL version Python was compiled against.

Impact by tool:

ToolNon-compliant certificate
PoetryMay be affected (uses httpx → Python ssl)

Resolution: Ask your SASE provider administrator to update the CA certificate to an RFC 5280 compliant version. Most providers have issued updated certificates since mid-2024 — once updated, all tools listed above should work without any further configuration.

Configuring Artifactory to Support Poetry for PTC

Poetry version 1.7.0 or later is supported as a PyPI client for PTC. Earlier versions of Poetry are not supported. Because Poetry uses the PyPI Simple API with JSON responses, the Artifactory PyPI remote repository used as the PTC repo_key must have JSON indexing enabled.

To enable JSON indexing on your PyPI repository:

  1. In the Administration module, navigate to Artifactory Settings > Packages Settings.
  2. Under PyPI, select the Enable simple json format checkbox.
  3. Click Save.

JSON indexing is enabled for Poetry and other JSON-aware PyPI clients using the PTC redirect path.

For full details on creating and configuring PyPI repositories and connecting Poetry to Artifactory, see PyPI Repositories in the JFrog documentation.

Anonymous Access for PyPI

Anonymous access configuration is the same across all package managers. See Step 4: Configure Anonymous Access.

Locks and Reproducibility for Python

As with npm, CI that does not traverse PTC may resolve artifacts differently than developer laptops. Align requirements.txt, Poetry, uv.lock, and pip-tools workflows across teams; watch for strict pip install --require-hashes or offline installs that assume direct PyPI URLs.

Testing for Python

To verify PyPI traffic through PTC:

  1. With your SASE and Artifactory configured for PyPI, run a public install, for example pip install requests or uv pip install requests (use the same tool your teams standardize on).
  2. In Artifactory, confirm the package appears under the PyPI remote repository configured as the PTC repo_key.
  3. If Curation is enabled on that remote, check Curation > Audit for an expected decision.

PyPI installs through PTC are verified when packages appear in Artifactory and optional Curation audit entries look correct.



RubyGems Configuration

Intercept Settings for RubyGems

SettingValue
URLs to addrubygems.org, api.rubygems.org (see Public Registry Hostnames)
Request MethodsGET and HEAD only
Excluded MethodsPOST (not used by gem or Bundler for package downloads)

Register RubyGems with Package Reroute

Create a RubyGems remote repository in Artifactory (package type: Gems, upstream URL: https://rubygems.org), then register it with the Package Reroute API:

curl -X PUT "https://<YOUR_ARTIFACTORY_URL>/artifactory/api/package-reroute/config/gems" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"repo_key": "<YOUR_GEMS_REMOTE_REPO_KEY>"}'

Where:

  • <YOUR_ARTIFACTORY_URL>: Your JFrog Platform hostname (for example acme.jfrog.io)
  • <TOKEN>: Admin JWT or Basic auth credentials
  • <YOUR_GEMS_REMOTE_REPO_KEY>: The key of your RubyGems remote repository

Trust Stores and Clients for RubyGems

Ruby clients (gem, Bundler) use OpenSSL for HTTPS and read the SASE CA from the SSL_CERT_FILE environment variable.

PlatformHow to configure
WindowsRun install_certs_windows.ps1 -Package ruby (or -Package all). Sets SSL_CERT_FILE to the generated bundle.
Linux (Debian/Ubuntu)Run install_certs_debian_ubuntu.sh with --package python, huggingface, or all. Sets SSL_CERT_FILE to the system CA bundle — Ruby shares this variable with Python.
macOSThe macOS install script does not include a Ruby package flag. Set SSL_CERT_FILE manually to the path of your SASE CA bundle (for example export SSL_CERT_FILE=~/package-route.pem). See Configure Workstation for PTC for CA extraction steps.

Testing (RubyGems)

To verify RubyGems traffic through PTC:

  1. With SASE redirect rules active, run gem install <package> --verbose. Confirm GET requests go to your Artifactory hostname after the redirect.
  2. In Artifactory, confirm the gem appears in your RubyGems remote repository cache.
  3. If Curation is enabled, confirm an Approved entry appears under Curation > Audit.

Cargo (Rust) Configuration

Intercept Settings for Cargo

SettingValue
URLs to addcrates.io, index.crates.io, static.crates.io (see Public Registry Hostnames)
Request MethodsGET and HEAD only
Excluded MethodsPOST (not used by cargo for package fetching)

index.crates.io serves the sparse registry index (Cargo 1.68 and later). static.crates.io serves crate tarballs via CDN. Include all three hostnames in your SASE intercept list.

Register Cargo with Package Reroute

Create a Cargo remote repository in Artifactory (package type: Cargo, upstream URL: https://crates.io), then register it with the Package Reroute API:

curl -X PUT "https://<YOUR_ARTIFACTORY_URL>/artifactory/api/package-reroute/config/cargo" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"repo_key": "<YOUR_CARGO_REMOTE_REPO_KEY>"}'

Where:

  • <YOUR_ARTIFACTORY_URL>: Your JFrog Platform hostname (for example acme.jfrog.io)
  • <TOKEN>: Admin JWT or Basic auth credentials
  • <YOUR_CARGO_REMOTE_REPO_KEY>: The key of your Cargo remote repository

Trust Stores and Clients for Cargo

Cargo uses Rust's native TLS implementation, which reads CA certificates from the OS trust store on all platforms. No additional environment variable or cert bundle configuration is required — standard OS-level trust (macOS Keychain, Windows Certificate Store, Linux system CA bundle) is sufficient when the SASE CA is installed at the OS level by your install scripts.

PlatformHow to configure
WindowsEnsure the SASE CA is in the Windows Certificate Store (Machine or User). The standard install_certs_windows.ps1 installs the cert into the OS store as part of npm/Python setup.
Linux (Debian/Ubuntu)Ensure the SASE CA is in the system trust store (the install script handles this).
macOSEnsure the SASE CA is trusted in the macOS Keychain. The install script exports from Keychain; Cargo reads from it natively.

Testing (Cargo)

To verify Cargo traffic through PTC:

  1. With SASE redirect rules active, run cargo fetch or cargo build on a project with crates.io dependencies. Confirm requests go to your Artifactory hostname.
  2. In Artifactory, confirm the crate appears in your Cargo remote repository cache.
  3. If Curation is enabled, confirm an Approved entry appears under Curation > Audit.

Docker, Hugging Face, and other types

Docker: Registry hostnames (Docker Hub, GHCR, and others) belong in your SASE intercept list when those clients are in scope. Container trust is not the host OS profile — see Containers and Virtual Environments on the workstation configuration page, and Docker’s Using Docker with Zscaler (written for Zscaler, but the same CA-trust pattern applies to any TLS-inspecting SASE proxy).

Docker — clients verified by JFrog

The table below lists Docker clients currently covered in this documentation.

LayerClientsStatus
Container enginesOrbStack, Rancher Desktop, ColimaVerified
Container enginesDocker DesktopCommonly used with the same workflow; validate end-to-end in your environment
CLI clients (on top of any engine above)docker, nerdctlVerified
Not supportedPodmanNot supported for PTC as documented here

If your standard client is not listed, validate in your environment and confirm support with your JFrog team.

  • Hugging Face: Use Hugging Face Repositories for remote repository layout and credentials. The PTC repo_key for huggingfaceml must be a Hugging Face remote repository. Add huggingface.co (and any CDN hosts your traces show) to your SASE intercept list when that traffic should be redirected. Important: the SASE redirect rule for Hugging Face must use GET only — do not include HEAD. This applies to all SASE providers (Zscaler, Netskope, Cloudflare, and others). Create a separate redirect rule or policy for huggingface.co distinct from npm/PyPI rules. Xet must be disabled on workstations using PTC for Hugging Face (HF_HUB_DISABLE_XET=1). For limitations (gated models, Xet, large-asset behavior), see Hugging Face models and registry limitations.


Frequently Asked Questions

This section provides answers to frequently asked questions about per-package-type configuration for Package Traffic Controller (PTC).

plusFAQs
Q: Why must npm redirect rules exclude POST requests?

A: npm audit sends POST to registry.npmjs.org. Redirecting POST breaks audit. Allow only GET and HEAD on the redirect rule. See Why POST must be excluded (npm).

Q: Which Docker container engines are verified for PTC?

A: This documentation covers OrbStack, Rancher Desktop, Colima, docker, and nerdctl. Podman is not supported. See Docker — clients verified by JFrog.

Q: How do I make npm work inside Docker containers behind SASE?

A: Bake or mount the SASE CA and set NODE_EXTRA_CA_CERTS. Containers do not inherit the host trust store automatically. See Docker Configuration for npm (Node.js).

Q: Why is HF_HUB_DISABLE_XET=1 required for Hugging Face?

A: Hugging Face Xet is not supported through the PTC redirect flow. Set the variable on workstations using PTC for Hugging Face. See Limitations and Troubleshooting.

Related Topics