This is a solution of a common problem with Nexus Docker repositories. The administrator has to expose port for "pull", another port for "push", other ports for each hosted repository. This solution is about leveraging Nginx reverse proxy to avoid using these ports.
Given :
- Nexus hostname is "nexus.example.com"
- Nexus web port is 8081
- A hosted repository is named "docker-hosted"
- A group repository is named "docker-group"
- Your nginx (with the nginx.conf of this gist) will run for example under cregistry.example.com
The following Nginx configuration file is for a reverse proxy without the need to expose connector ports from nexus :
docker pull cregistry.example.com/myimage
lets Nginx forward the request to "docker-group"docker push cregistry.example.com/myimage
lets Nginx forward the request to "docker-hosted"
-
If you have more than one hosted repository, create another Nginx reverse proxy for it, then aggregate them using a parent Nginx reverse proxy that forwards the request according to certain criteria (.i.e: Host header).
-
All Nexus repositories must have consistent configuration of authentication: Either all require authentication, or all don't.
-
If TLS is enabled with Nexus, change
proxy_set_header X-Forwarded-Proto "http";
byproxy_set_header X-Forwarded-Proto "https";
@AlexGluck I think I found the reason of the
unknown blob
If, You:
group
repo using bothhosted
andproxy
Because pushed layers contains layer:aaaaaaa, But when push layers nginx will route HEAD to
group
, Response tell docker-client layer:aaaa exist but actualy not exist inhosted
, Then at last step PUT manifest, There must be some parse steps, Nexus can't find layer:aaaa inhosted
repo, Then throw an error.If remove all
proxy
repo fromgroup
, Push will success.I think its need some application layer proxy, For example: capture
POST ^/(v1|v2)/(.*?)/blobs/uploads/$
then parse it. Use the parsed date to redirect nextHEAD ^/(v1|v2)/(.*?)/blobs/uploads/.*?$
tohosted
. But it can't be done: docker client will send HEAD request directly, There is no prerequest.So, I think its a countermeasures for avoid this hack behiver.