This is a solution of a common problem with Nexus Docker repositories. The administrator has to expose port for "pull", another port for "push", other ports for each hosted repository. This solution is about leveraging Nginx reverse proxy to avoid using these ports.
Given :
- Nexus hostname is "nexus.example.com"
- Nexus web port is 8081
- A hosted repository is named "docker-hosted"
- A group repository is named "docker-group"
- Your nginx (with the nginx.conf of this gist) will run for example under cregistry.example.com
The following Nginx configuration file is for a reverse proxy without the need to expose connector ports from nexus :
docker pull cregistry.example.com/myimage
lets Nginx forward the request to "docker-group"docker push cregistry.example.com/myimage
lets Nginx forward the request to "docker-hosted"
-
If you have more than one hosted repository, create another Nginx reverse proxy for it, then aggregate them using a parent Nginx reverse proxy that forwards the request according to certain criteria (.i.e: Host header).
-
All Nexus repositories must have consistent configuration of authentication: Either all require authentication, or all don't.
-
If TLS is enabled with Nexus, change
proxy_set_header X-Forwarded-Proto "http";
byproxy_set_header X-Forwarded-Proto "https";
Hi guys!
Here we go again:)
So I need to setup specific proxy from Nginx load balancer.
I have this setup:
Nginx that balancing traffic between Nexus and Harbor.
For some reasons I need to redirect all POST|PUT|DELETE|PATCH|HEAD requests to Harbor, and keep GET requests from Nexus.
I prepared this confing:
when I run
docker push
to nexus e.g.docker push nexus.my.domain/projectname/nginx:stable-alpine-slim
, it should redirect and push image to Harbor, but I see the errordenied: Deploying to groups is a PRO-licensed feature. See https://links.sonatype.com/product-nexus-repository
when I create additional upstream in nexus Nginx config that points to harbor server and port and modify proxy like this:
And push the image like in previous step, I see
unauthorized: unauthorized to access repository: projectname/nginx, action: push: unauthorized to access repository: projectname/nginx, action: push
Repo in harbor exists, docker logged in both harbor and nexus reposytories.
My user has access rights to project in Harbor and Nexus
I don't know for who Harbor says it: for me, or for Nexus (may be for some reasons docker push goes from Nexus instance, I don't know)
Does Nexus support this feature or not? May be I'm doing wrong, I don't know.
May be someone tried to do something same?
I appreciate you for your help!
Thank you in advance!