Repository Management with Nexus

Share

3.8. Running Nexus Behind a Reverse Proxy

The Nexus installation bundle is based on the high-performance servlet container Eclipse Jetty running the Nexus web application. This achieves a very high performance of Nexus and make installation of a separate proxy for performance improvements unnecessary.

However, in many cases organizations run applications behind a proxy for security concerns, familiarity with securing a particular proxy server or to consolidate multiple disparate applications using tools like mod_rewrite.

Some brief instructions for establishing such a setup with Apache httpd follow as an example. We assume that you’ve already installed Apache 2, and that you are using a virtual host for repo.example.com.

Let’s assume that you wanted to host Nexus behind Apache httpd at the URL http://repo.example.com. To do this, you’ll need to change the context path that Nexus is served from.

  1. Edit nexus.properties in $NEXUS_HOME/conf. You’ll see an element named nexus-webapp-context-path. Change this value from /nexus to /
  2. Restart Nexus and Verify that it is available on http://localhost:8081/
  3. Set the Base URL in Nexus as shown in Figure 6.4, “Administration Application Server Settings” under Application Server Settings to the URL that will be the externally available URL of Nexus e.g. http://repo.example.com

At this point, edit the httpd configuration file for the repo.example.com virtual host. Include the following to expose Nexus via mod_proxy at http://repo.example.com/.

ProxyRequests Off
ProxyPreserveHost On

<VirtualHost *:80>
  ServerName repo.example.com
  ServerAdmin admin@example.com
  ProxyPass / http://localhost:8081/
  ProxyPassReverse / http://localhost:8081/
  ErrorLog logs/repo.example.com/nexus/error.log
  CustomLog logs/repo.example.com/nexus/access.log common
</VirtualHost>

If you just wanted to continue to serve Nexus at the /nexus context path, you would not change the nexus-webapp-context-path and you would include the context path in your ProxyPass and ProxyPassReverse

  ProxyPass /nexus/ http://localhost:8081/nexus/
  ProxyPassReverse /nexus/ http://localhost:8081/nexus/

For the user interface to work via the proxy reliably you also need to configure a ProxyPassReverseCookiePath.

  ProxyPass /nexus http://localhost:8081/
  ProxyPassReverse /nexus http://localhost:8081/
  ProxyPassReverseCookiePath / /nexus

When your reverse proxy is configured to serve https, but it proxies with plain http to your Nexus instance, an additional header is required. This will ensure Nexus renders absolute URLs using the correct protocol. When setting this header, make sure that in Figure 6.4, “Administration Application Server Settings” Force Base URL is not checked.

  RequestHeader set X-Forwarded-Proto "https"

Apache configuration is going to vary, based on your own application’s requirements and the way you intend to expose Nexus to the outside world. If you need more details about Apache httpd and mod_proxy, please see the documentation at http://httpd.apache.org and specifically http://httpd.apache.org/docs/current/mod/mod_proxy.html.

A similar setup can be configured with nginx. The following configuration is a simplified example for an nginx server running port 80. This server proxies Neuxs running on the same server (127.0.0.1 = localhost) at the default port 8081 on the default context /nexus:

http {
...
    proxy_send_timeout 120;
    proxy_read_timeout 300;
    proxy_buffering    off;
    keepalive_timeout   5;
    tcp_nodelay        on;
..
    server {
        listen       80;
        server_name  localhost;

        location /nexus {
            proxy_pass http://127.0.0.1:8081;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

The nginx documentation contains further details for setting this up for HTTP as well as for HTTPS, if desired.

If the components proxied include larger files be sure to set client_max_body_size to an appropriate value to ensure uploads and downloads can succeed through nginx.