Nexus OSS behind Nginx with SSL on.
- Node1
[vagrant@node1 ~]$ sudo cat /etc/hosts
172.42.42.10 node1
172.42.42.20 private.repo.com
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- Node2
[vagrant@node2 ~]$ sudo cat /etc/hosts
172.42.42.20 node2
172.42.42.20 private.repo.com
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- run nexus
[vagrant@node2]$ docker volume create --name nexus-data
[vagrant@node2]$ docker run -d -p 8081:8081 -p 8085:8085 -p 8086:8086 --name nexus -v nexus-data:/nexus-data sonatype/nexus3:3.21.2
- Nexus
- Docker group : 8087
- Docker proxy : 8085
- Docker hosted : 8086
- Nexus docker-proxy
- Nexus docker-hosted
- Nexus docker-group
- Set Anonymous Access
- Set Realm
- generate cert
[vagrant@node2 reverseProxy]$ ip route | grep eth1
172.42.42.0/24 dev eth1 proto kernel scope link src 172.42.42.20 metric 101
openssl req -x509 -out cert.crt -keyout cert.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=private.repo.com' -extensions EXT -config <( \
printf "[dn]\nCN=private.repo.com\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:private.repo.com\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
- nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_send_timeout 120;
proxy_read_timeout 300;
proxy_buffering off;
keepalive_timeout 5 5;
tcp_nodelay on;
server {
listen *:443;
server_name 172.42.42.20;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/certs/cert.key;
# allow large uploads of files
client_max_body_size 1G;
ssl on;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
location / {
# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://172.42.42.20:8081/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
listen *:5085;
server_name 172.42.42.20;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/certs/cert.key;
# allow large uploads of files
client_max_body_size 1G;
ssl on;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
location / {
# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://172.42.42.20:8085/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
listen *:5086;
server_name 172.42.42.20;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/certs/cert.key;
# allow large uploads of files
client_max_body_size 1G;
ssl on;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
location / {
# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://172.42.42.20:8086/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
listen *:5087;
server_name 172.42.42.20;
ssl_certificate /etc/ssl/certs/cert.crt;
ssl_certificate_key /etc/ssl/certs/cert.key;
# allow large uploads of files
client_max_body_size 1G;
ssl on;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
location / {
# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://172.42.42.20:8087/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
}
- current directory
[vagrant@node2 reverseProxy]$ pwd
/home/vagrant/projects/reverseProxy
[vagrant@node2 reverseProxy]$ ls
cert.crt cert.key nginx.conf
- show certificate
openssl s_client -showcerts -connect 172.42.42.20:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
- make directory for docker certs.d
[vagrant@node1 ~]$ sudo mkdir -p /etc/docker/certs.d/private.repo.com:5085
- download cert
[root@node1 vagrant]# openssl s_client -showcerts -connect private.repo.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/private.repo.com:5085/ca.crt
- result of above command shows
depth=0 CN = 172.42.42.20
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = 172.42.42.20
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
- run nginx
[vagrant@node2 reverseProxy]$ docker run --name ssl-terminator -v /home/vagrant/projects/reverseProxy/nginx.conf:/etc/nginx/nginx.conf:ro -v /home/vagrant/projects/reverseProxy/cert.crt:/etc/ssl/certs/cert.crt:ro -v /home/vagrant/projects/reverseProxy/cert.key:/etc/ssl/certs/cert.key:ro -p 443:443 -p 5085:5085 -p 5086:5086 -p 5087:5087 -d nginx
- docker containers
[vagrant@node2 reverseProxy]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5da0212e3e7 nginx "nginx -g 'daemon of…" About an hour ago Up About an hour 0.0.0.0:443->443/tcp, 80/tcp, 0.0.0.0:5085-5087->5085-5087/tcp ssl-terminator
b95a11212106 sonatype/nexus3:3.21.2 "sh -c ${SONATYPE_DI…" 3 hours ago Up 3 hours 0.0.0.0:8081->8081/tcp, 0.0.0.0:8085-8086->8085-8086/tcp nexus
Run hello-world image
[vagrant@node1 ~]$ docker run private.repo.com:5085/hello-world
Unable to find image 'private.repo.com:5085/hello-world:latest' locally
latest: Pulling from hello-world
Digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a
Status: Downloaded newer image for private.repo.com:5085/hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
Push image.
- tag it
[vagrant@node1 ~]$ docker image tag private.repo.com:5085/hello-world-2:latest private.repo.com:5086/hello-world-2:latest
- push it (failed)
[vagrant@node1 ~]$ docker push private.repo.com:5086/hello-world-2
The push refers to repository [private.repo.com:5086/hello-world-2]
af0b15c8625b: Preparing
unauthorized: access to the requested resource is not authorized
- login
[vagrant@node1 ~]$ docker login private.repo.com:5086
Username: admin
Password: admin
WARNING! Your password will be stored unencrypted in /home/vagrant/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
- show where password stored
[vagrant@node1 ~]$ cat /home/vagrant/.docker/config.json
{
"auths": {
"private.repo.com:5085": {
"auth": "YWRtaW46YWRtaW4="
},
"private.repo.com:5086": {
"auth": "YWRtaW46YWRtaW4="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.8 (linux)"
}
}
- push it again
[vagrant@node1 ~]$ docker push private.repo.com:5086/hello-world-2:latest
The push refers to repository [private.repo.com:5086/hello-world-2]
af0b15c8625b: Pushed
latest: digest: sha256:92c7f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e899a size: 524
- run from it.
[vagrant@node1 ~]$ docker run private.repo.com:5086/hello-world-2
Hello from Docker!
....
