This is a solution of a common problem with Nexus Docker repositories. The administrator has to expose port for "pull", another port for "push", other ports for each hosted repository. This solution is about leveraging Nginx reverse proxy to avoid using these ports.
Given :
- Nexus hostname is "nexus.example.com"
- Nexus web port is 8081
- A hosted repository is named "docker-hosted"
- A group repository is named "docker-group"
- Your nginx (with the nginx.conf of this gist) will run for example under cregistry.example.com
The following Nginx configuration file is for a reverse proxy without the need to expose connector ports from nexus :
docker pull cregistry.example.com/myimage
lets Nginx forward the request to "docker-group"docker push cregistry.example.com/myimage
lets Nginx forward the request to "docker-hosted"
-
If you have more than one hosted repository, create another Nginx reverse proxy for it, then aggregate them using a parent Nginx reverse proxy that forwards the request according to certain criteria (.i.e: Host header).
-
All Nexus repositories must have consistent configuration of authentication: Either all require authentication, or all don't.
-
If TLS is enabled with Nexus, change
proxy_set_header X-Forwarded-Proto "http";
byproxy_set_header X-Forwarded-Proto "https";
Nginx Reverse Proxy for Nexus Docker Registries
My latest version.
Supported any count your docker repos, all types of docker repos: hosted, group and proxy.
Search images from CLI work in docker repo
docker-group
(create required), if add in group repo all your docker hosted repos and grant read privileges for some your role linked to your user, this user can search images from CLI in nexus.For correct registry API version check and check authorization require docker repository
docker-login
(create required), recommends type group and contain docker proxy for hub.docker.com.For all users, which need grant access to docker repositories, require grant role with permission
nx-repository-view-docker-docker-login-read
.After successful login, work with internal docker repositories manage by nexus permissions.
For example: if your don't grant permission to docker repo
super-secret-docker-hosted-repo
, you can authorization, but can't pull or push images fromsuper-secret-docker-hosted-repo
docker repo.Nexus API URI changed from
/v1/
to/api/v1/
.UPD: Add feature like in hub.docker.com. For pull image from nexus hosted docker repository without set docker repository name.
Create required docker hosted repository
library
.Feature in next block:
Example:
docker pull nexus.example.org/image:latest
If image not found fallback search in
docker-group
.UPD2: Fix min uses for negative cache.