Installing Sonatype Nexus With Nginx Reverse Proxy & HTTPS

Introduction to Sonatype Nexus

Sonatype Nexus is a powerful repository manager that has become an essential tool in modern software development ecosystems. It serves as a central hub for storing and managing various types of artifacts, including Maven dependencies, NPM packages, Docker images, and more.

But for a container image registry, I prefer Harbor:)

Why Use Sonatype Nexus?

1. Centralized Management: Nexus provides a single point of control for all your software artifacts, simplifying dependency management across projects.
2. Improved Build Performance: By caching dependencies locally, Nexus significantly reduces build times and network usage.
3. Enhanced Security: Nexus offers fine-grained access control and can act as a firewall between your organization and public repositories.
4. Support for Multiple Repository Formats: Nexus can handle various repository types, including Maven, NPM, Docker, and raw repositories, among others.
5. CI/CD Pipeline Optimization: For organizations running Continuous Integration and Continuous Deployment (CI/CD) pipelines, Nexus acts as a local cache for dependencies. This caching mechanism substantially improves pipeline performance by reducing network-dependent downloads, leading to faster and more reliable builds. ## Installation with HTTPS

In this guide, we'll walk through the process of installing Nexus and configuring Nginx as a reverse proxy, all containerized using Docker. This setup will provide HTTPS access to your Nexus instance.

Prerequisites

• Docker and Docker Compose installed on your system
• A domain name (for HTTPS configuration)
• SSL certificate and key for your domain

Step 1: Set Up the Directory Structure

First, let's create the necessary directory structure for our Nexus installation:

mkdir nexus && cd nexus && \
mkdir -p config/ssl

Step 2: Create Docker Compose File

Create a docker-compose.yaml file in the nexus directory with the following content:

vim docker-compose.yaml

services:
  nexus:
    image: "sonatype/nexus3:3.72.0"
    volumes:
      - "nexus-data:/nexus-data"
    restart: always
  proxy:
    image: "nginx:alpine"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./config/nginx.conf:/etc/nginx/nginx.conf
      - ./config/ssl/:/etc/nginx/ssl
    restart: always
volumes:
  nexus-data:

This configuration sets up two services:

1. nexus: The Sonatype Nexus service
   • There is no ports published from the nexus service since we will use Nginx for all requests.
2. proxy: An Nginx service acting as a reverse proxy

Step 3: Configure Nginx

Create an Nginx configuration file at config/nginx.conf with the following content:

vim config/nginx.conf

worker_processes 1;

events {
  worker_connections 1024;
}

http {
    proxy_send_timeout 120;
    proxy_read_timeout 300;
    proxy_buffering    off;
    proxy_request_buffering off;
    keepalive_timeout  5 5;
    tcp_nodelay        on;

    server {
        listen 80;
        server_name registry.burakberk.dev;
        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        listen 443 ssl;
        server_name  registry.burakberk.dev;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        client_max_body_size 2G;
        # optimize downloading files larger than 1G - refer to nginx doc before adjusting
        #proxy_max_temp_file_size 2G;
        location / {
            proxy_pass http://nexus:8081;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto "https";
        }
    }

    server {
        listen 443 ssl;
        server_name cr.burakberk.dev;
        ssl_certificate /etc/nginx/ssl/cr.crt;
        ssl_certificate_key /etc/nginx/ssl/cr.key;
        client_max_body_size 2G;
        # optimize downloading files larger than 1G - refer to nginx doc before adjusting
        #proxy_max_temp_file_size 2G;
        location / {
            proxy_pass http://nexus:8082/;
            proxy_set_header Host $host;
            proxy_set_header X-REAL-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto "https";
        }
    }

    server {
        listen 443 ssl;
        server_name redhat-registry.burakberk.dev;
        ssl_certificate /etc/nginx/ssl/redhat-registry.crt;
        ssl_certificate_key /etc/nginx/ssl/redhat-registry.key;
        client_max_body_size 2G;
        # optimize downloading files larger than 1G - refer to nginx doc before adjusting
        #proxy_max_temp_file_size 2G;
        location / {
            proxy_pass http://nexus:8083/;
            proxy_set_header Host $host;
            proxy_set_header X-REAL-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto "https";
        }
    }
}

This configuration sets up HTTP to HTTPS redirection and proxies requests to the Nexus container.

In Nexus, generally container image registries run on different ports. So if you want to host a container image registry, I recommend to create virtual servers as you need in the Nginx configuration above.

For a brief,

• I will create 3 docker proxy registry.
  • Docker hub
  • Red Hat registry
  • GitHub container registry
• Group the Docker hub and Github container registry under a common name
  • Publish it on the port 8082
  • Access with the domain cr.burakberk.dev
• Standalone Red Hat registry
  • Publish it on the port 8083
  • Access with the domain redhat-registry.burakberk.dev

[!tip]
I will share how to configure and use the Nexus repositories in another blog post.

Step 4: Set Up SSL Certificates

You can obtain the SSL certificates from LetsEncrypt for free.
I used self-signed certificates that created with crtforge.

[!note]
If you don't have an SSL certificate, you can obtain one from Let's Encrypt for free if you own a public domain name.
Alternatively, you can create your self-signed SSL certificates by following the Creating Fullchain Self Signed SSL With 3 Commands blog post.

Copy the SSL certificates and keys to the config/ssl directory:

For registry.burakberk.dev:

• Certificate: config/ssl/server.crt
• Key: config/ssl/server.key

For cr.burakberk.dev:

• Certificate: config/ssl/cr.crt
• Key: config/ssl/cr.key

For redhat-registry.burakberk.dev:

• Certificate: config/ssl/redhat-registry.crt
• Key: config/ssl/redhat-registry.key

[!info]
It is best practice to copy fullchain certificate into the server.crt  file.

The overall file structure should be:

$ tree
nexus
├── config
│   ├── nginx.conf
│   └── ssl
│       ├── server.crt
│       └── server.key
└── docker-compose.yml

Step 5: Start the Services

Run the following command to start Nexus and Nginx:

docker compose up -d

Step 6: Retrieve Initial Admin Password

To access the Nexus web UI, you'll need the initial admin password. Retrieve it with the following command:

docker compose exec nexus cat /nexus-data/admin.password

Step 7: Access Nexus Web UI

Open your web browser and navigate to https://registry.burakberk.dev (replace with your actual domain). Log in with the following credentials:

Login with the admin user.

username: admin
password: the password you retrieved in Step 6

Follow the initial setup wizard to change the admin password and configure anonymous access if desired. I will enable anonymous access in my case.

Move to the Nexus Usage

You can head over to the my next post to read Sonatype Nexus 101 to see how to configure Maven, NPM and container image repositories. You can also see some use cases and tests in the blog post.