Repository Management with Nexus - 2.12

Share

24.2. Configuring Inbound HTTPS

Available in Nexus Repository Manager OSS and Nexus Repository Manager

Providing access to the user interface and content via HTTPS is a recommended best practice for any deployment.

You have two options:

  • Using a separate reverse proxy server in front of the repository manager to manage HTTPS
  • Configure the repository manager to serve HTTPS directly

Using A Reverse Proxy Server. A common approach is to access the repository manager through a dedicated server which answers HTTPS requests on behalf of it - these servers are called reverse proxies or SSL/TLS terminators. Subsequently requests are forwarded to the repository manager via HTTP and responses received via HTTP are then sent back to the requestor via HTTPS.

There are a few advantages to using these which can be discussed with your networking team. For example, the repository manager can be upgraded/installed without the need to work with a custom JVM keystore. The reverse proxy could already be in place for other systems in your network. Common reverse proxy choices are Apache httpd, nginx, Eclipse Jetty or even dedicated hardware appliances. All of them can be configured to serve SSL content, and there is a large amount of reference material available online.

Serving SSL Directly. We will elaborate here on the second approach, which is to use the Eclipse Jetty instance that is distributed with Nexus Repository Manager to accept HTTPS connections.

[Tip]

Keep in mind that you will have to redo some of these configurations each time you upgrade the repository manager, since they are modifications to the embedded Jetty instance located in $NEXUS_HOME.

To configure the Eclipse Jetty instance to accept HTTPS connections, first enable the file jetty-https.xml to the Jetty startup configuration in wrapper.conf as detailed in Section 3.10.2, “Configuration Directory”.

Next, the HTTP port you want to use for the HTTPS connection has to be defined by setting the application-port-ssl property in nexus.properties.

application-port-ssl=8443

Create a keystore file containing a single certificate that Jetty will use for the HTTPS connections. Instructions are available on the Eclipse Jetty documentation site. You may find the common keytool commands in our SSL Certiicate Guide a useful reference.

Adjust the values in the jetty-https.xml file in NEXUS_HOME/conf to reflect your keystore settings. The default configuration in that file suggests to create a subdirectory NEXUS_HOME/conf/ssl and copy the keystore file in there and rename it to keystore.jks. You can either do that or choose a different location or filename for your keystore file and update the paths for the keystore and truststore in the jetty-https.xml file.

Once this is all in place you can start up the repository manager and access the user interface at e.g., https://localhost:8443/nexus. If you have just created a self-signed certificate, modern web browsers will warn you about the certificate and you will have to acknowledge the fact that the certificate is self-signed. To avoid this behavior, you have to get a certificate signed by a signing authority or reconfigure the web browser.

The repository manager is now available via HTTPS. If desired you can configure automatic redirection from HTTP to HTTPS by adding usage of jetty-http-redirect-to-https.xml as additional app parameters in wrapper.conf as well as update the Base URL in your server configuration.