Repository Management with Nexus
23.3. Configuring Nexus to Serve SSL
Providing access to the Nexus user interface and content via https only is a recommended best practice for any deployment.
The recommended approach to implementation is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http. The advantage of this approach is that Nexus can easily be upgraded and there is no need to work with the JVM truststore. In addition you can use the expertise of your system administrators and the preferred server for achieving the proxying, which in most cases will already be in place for other systems.
Common choices are servers like Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can easily be configured to serve SSL content and there is a large amount of reference material available for configuring these servers to serve secure content. For example Apache httpd would be configured to use mod_ssl.
Alternatively the Jetty instance that is part of the default Nexus install can be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus, this section shows you how to do that.
Keep in mind that you will have to redo some of these configurations each time you upgrade Nexus, since they are modifications to the embedded Jetty instance located in $NEXUS_HOME.
To configure Nexus to serve SSL directly to clients, you’ll need to perform the following steps.
All examples given here can be found in the Nexus distribution under $(NEXUS_HOME)/conf/examples. Before you customize your Nexus configuration to serve SSL, keep in mind the following:
- Any custom Jetty configuration must be contained in the $(NEXUS_HOME)/conf/jetty.xml file, or else in the location referenced by the jetty.xml property in $(NEXUS_HOME)/conf/nexus.properties (in case you’ve customized this location).
- While the instructions below will work with Nexus Open Source, these instructions assume the filesystem of Nexus Professional. If you are missing Jetty JAR files, you should obtain them from the Jetty project page: http://www.eclipse.org/jetty/
Follow the instructions on the How to configure SSL page on the Jetty Wiki to setup the appropriate keys and certificates in a form that Jetty can use.
The jetty-util jar and the main Jetty jar can be found in $NEXUS_HOME/lib. The command line used to import an OpenSSL key+cert in PKCS12 format is:
$ keytool -importkeystore -srckeystore <your-certificate.p12> -srcstoretype PKCS12 -destkeystore <keystore> -deststoretype JKS
The command line used to generate an obfuscated password hash is:
$ java -cp jetty-util-8.1.8.v20121106.jar org.eclipse.jetty.util.security.Password <your-password>
The OBF line that is the out of the command above will be used in the jetty.xml three times. You’ll need to run the previous command three times to generate the obfuscated hash-codes for three passwords:
- The Key Password
- The Trust Store Password
- The Key Store Password
In the next section, the key store and trust store are the same file, with the same password.
A jetty.xml with the modifications of the jetty.xml required can be found in $NEXUS_HOME/conf/examples/jetty-ssl.xml, inside your Nexus distribution.
Insert the OBF output from earlier command in the addConnector section in the setters for password, keyPassword and trustPassword.
has a default configuration that many people would more naturally associate with non-SSL connections. You may wish to modify this port to something like 8443, or even 443 (if you have root access from which to start Nexus). To change this property, modify the $(basedir)/conf/nexus.properties
You may wish to enable both types of connections, with appropriate rewrite rules between them. Such a configuration is beyond the scope of this section; if you’re interested, please refer to the Jetty Documentation Hub for some information to get you started. Additionally, you may need to add extra port properties to the nexus.properties configuration file to accommodate both SSL and non-SSL connections.