Repository Management with Nexus


24.3. Configuring Nexus to Serve via SSL

Providing access to the Nexus user interface and content via HTTPS only is a recommended best practice for any deployment.

The recommended approach to implementation is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http. The advantage of this approach is that Nexus can easily be upgraded and there is no need to work with the JVM truststore. In addition, you can use the expertise of your system administrators and the preferred server for achieving the proxying, which in most cases will already be in place for other systems.

Common choices are servers like Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can easily be configured to serve SSL content, and there is a large amount of reference material available for configuring these servers to serve secure content. For example, Apache httpd would be configured to use mod_ssl.

Alternatively the Jetty instance that is part of the default Nexus install can be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus, this section shows you how to do that.


Keep in mind that you will have to redo some of these configurations each time you upgrade Nexus, since they are modifications to the embedded Jetty instance located in $NEXUS_HOME.

To configure Nexus to serve SSL directly to clients, you need to perform the following steps:

As a first step you have to add the file jetty-https.xml to the Jetty startup configuration in wrapper.conf as detailed in Section 3.10.2, “Nexus Configuration Directory”.

Next, the HTTP port you want to use for the HTTPS connection has to be defined by setting the application-port-ssl property in


Now you are ready to create a keystore file. Instructions are available on the Eclipse Jetty documentation site or directly on the documentation site for the keytool. As a result of this procedure you will have a keystore file and the password values for keyStorePassword, keyManagerPassword and trustStorePassword.

Insert the values in the jetty-https.xml file in NEXUS_HOME/conf. The default configuration in that file suggests to create a subdirectory NEXUS_HOME/conf/ssl and copy the keystore file in there and rename it to keystore.jks. You can either do that or choose a different location or filename for your keystore file and update the paths for the keystore and truststore in the jetty-https.xml file.

Once this is all in place you can start up Nexus and access the user interface at e.g., https://localhost:8443/nexus. If you have just created a self-signed certificate, modern web browsers will warn you about the certificate and you will have to acknowledge the fact that the certificate is self-signed. To avoid this behavior, you have to get a certificate signed by a signing authority or reconfigure the web browser.

Nexus is now available via HTTPS. If desired you can configure automatic redirection from HTTP to HTTPS by adding usage of jetty-http-redirect-to-https.xml as additional app parameters in wrapper.conf as well as update the Base URL in your Nexus server configuration.