Providing access to the Nexus user interface and content via HTTPS only is a recommended best practice for any deployment.
The recommended approach to implementation is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http. The advantage of this approach is that Nexus can easily be upgraded and there is no need to work with the JVM truststore. In addition, you can use the expertise of your system administrators and the preferred server for achieving the proxying, which in most cases will already be in place for other systems.
Common choices are servers like Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can easily be configured to serve SSL content, and there is a large amount of reference material available for configuring these servers to serve secure content. For example, Apache httpd would be configured to use mod_ssl.
Alternatively the Jetty instance that is part of the default Nexus install can be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus, this section shows you how to do that.
Keep in mind that you will have to redo some of these configurations each time you upgrade Nexus, since they are modifications to the embedded Jetty instance located in $NEXUS_HOME.
To configure Nexus to serve SSL directly to clients, you need to perform the following steps:
As a first step you have to add the file
jetty-https.xml to the
Jetty startup configuration in
wrapper.conf as detailed in
Section 3.10.2, “Nexus Configuration Directory”.
Next, the HTTP port you want to use for the HTTPS connection has to be
defined by setting the
application-port-ssl property in
Now you are ready to create a keystore file. Instructions are
available on the
Jetty documentation site or directly on the documentation site for
a result of this procedure you will have a
keystore file and the
password values for
Insert the values in the
jetty-https.xml file in
NEXUS_HOME/conf. The default configuration in that file suggests to
create a subdirectory
NEXUS_HOME/conf/ssl and copy the
file in there and rename it to
keystore.jks. You can either do that
or choose a different location or filename for your keystore file and
update the paths for the
truststore in the
Once this is all in place you can start up Nexus and access the user
interface at e.g.,
https://localhost:8443/nexus. If you have just
created a self-signed certificate, modern web browsers will warn you
about the certificate and you will have to acknowledge the fact that
the certificate is self-signed. To avoid this behavior, you have to
get a certificate signed by a signing authority or reconfigure the web
Nexus is now available via HTTPS. If desired you can configure
automatic redirection from HTTP to HTTPS by adding usage of
jetty-http-redirect-to-https.xml as additional app parameters in
wrapper.conf as well as update the
Base URL in your Nexus server
If you are setting up this redirection and therefore aim to expose
your Nexus server only via HTTPS you should also configure Nexus to
mark session cookies as secure, so that they are only sent to HTTPS
browser access. This prevents any session hijacking. You can configure