1080*80 ad
Home » Blog » Nexus Repository Manager Behind Apache

Nexus Repository Manager Behind Apache

Benhcmark Administrator Benhcmark Administrator
13/08/2025
0 Views 0
Nexus Repository Manager Behind Apache

A Step-by-Step Guide to Securing Nexus Repository with an Apache Reverse Proxy

Nexus Repository Manager is a cornerstone of modern DevOps, providing a centralized and reliable source for your project’s artifacts. While it’s powerful out of the box, running it directly exposed to the internet on its default port (like 8081) is not ideal for production environments. A far more secure and professional approach is to place it behind an Apache web server acting as a reverse proxy.

This guide will walk you through the process of configuring Apache as a reverse proxy for Nexus Repository. This setup not only enhances security but also simplifies access by allowing you to use standard ports (80/443) and a custom domain name.

Why Use an Apache Reverse Proxy for Nexus?

Placing Nexus behind a reverse proxy is a standard industry best practice for several critical reasons:

  • Enhanced Security: Apache acts as a gatekeeper, handling all incoming traffic. This shields your Nexus application server from direct exposure to potential threats. You can implement security measures like rate limiting and web application firewalls (WAFs) at the Apache level.
  • SSL/TLS Termination: Managing SSL/TLS certificates is simpler and more secure at the web server level. Apache can handle all encryption and decryption, passing unencrypted traffic to Nexus on the backend. This centralizes certificate management, especially if you host multiple services.
  • Centralized Access and Custom Domains: A reverse proxy allows you to serve Nexus from a clean, professional URL (e.g., nexus.yourcompany.com) instead of an IP address with a port number. This makes it easier for users and CI/CD tools to access.
  • Load Balancing and Scalability: In more complex environments, a reverse proxy is the first step toward a high-availability setup, where traffic can be distributed across multiple Nexus instances.

Prerequisites

Before you begin, ensure you have the following:

  • A running instance of Nexus Repository Manager.
  • A server with root or sudo access.
  • Apache (httpd) installed on the same server or a dedicated gateway server.
  • A domain or subdomain name (e.g., nexus.yourdomain.com) pointed to your server’s public IP address.

Step 1: Enable Required Apache Modules

For Apache to function as a reverse proxy, you need to enable a few key modules. On Debian-based systems like Ubuntu, you can do this with the following commands:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_connect
sudo a2enmod headers

If you plan to use SSL/TLS (which you absolutely should), enable the SSL module as well:

sudo a2enmod ssl

After enabling the modules, restart Apache to apply the changes:

sudo systemctl restart apache2

Step 2: Create the Apache Virtual Host Configuration

The core of this setup is the Apache Virtual Host file. This file tells Apache how to handle requests for your Nexus domain. Create a new configuration file in Apache’s sites-available directory.

sudo nano /etc/apache2/sites-available/nexus.conf

Basic HTTP Configuration (Not Recommended for Production)

For testing or internal-only networks, you can start with a basic HTTP configuration. This will proxy requests from port 80 to Nexus running on port 8081.

<VirtualHost *:80>
    ServerName nexus.yourdomain.com

    ProxyRequests Off
    ProxyPreserveHost On

    # The ProxyPass directive is the most crucial part.
    # It forwards requests from the root URL (/) to your Nexus instance.
    ProxyPass / http://127.0.0.1:8081/
    ProxyPassReverse / http://127.0.0.1:8081/

    # Recommended for logging and debugging
    ErrorLog ${APACHE_LOG_DIR}/nexus-error.log
    CustomLog ${APACHE_LOG_DIR}/nexus-access.log combined
</VirtualHost>

Secure HTTPS Configuration (Recommended for Production)

For any production or internet-facing instance, you must use HTTPS to encrypt traffic. This configuration handles SSL/TLS termination and automatically redirects HTTP traffic to HTTPS. Make sure you have your SSL certificate and key files ready (you can get a free one from Let’s Encrypt).

# Redirect HTTP to HTTPS
<VirtualHost *:80>
    ServerName nexus.yourdomain.com
    Redirect permanent / https://nexus.yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName nexus.yourdomain.com

    # SSL Configuration
    SSLEngine On
    SSLCertificateFile /path/to/your/fullchain.pem
    SSLCertificateKeyFile /path/to/your/privkey.pem

    # Proxy Configuration
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8081/
    ProxyPassReverse / http://127.0.0.1:8081/

    # Set headers to let Nexus know it's behind a proxy
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    # Logging
    ErrorLog ${APACHE_LOG_DIR}/nexus-error.log
    CustomLog ${APACHE_LOG_DIR}/nexus-access.log combined
</VirtualHost>

Key Directives Explained:

  • ProxyPass: This directive is the heart of the proxy. It maps incoming requests to the backend Nexus server.
  • ProxyPassReverse: This rewrites the headers in responses from the backend server. It ensures that if Nexus sends a redirect, the client is sent to the proxy URL, not the internal localhost:8081 address.
  • ProxyPreserveHost: This passes the original host header from the client to Nexus, which is important for the application to generate correct URLs.
  • RequestHeader: When using HTTPS, these headers inform Nexus that the original connection was secure, which is critical for its proper functioning.

Step 3: Enable the New Site and Restart Apache

Once you’ve saved your configuration file, you need to enable the new site and reload Apache for the changes to take effect.

# Enable the new virtual host
sudo a2ensite nexus.conf

# Test the configuration for syntax errors
sudo apache2ctl configtest

# If syntax is OK, restart Apache to apply all changes
sudo systemctl restart apache2

After Apache restarts, you should be able to access your Nexus Repository Manager by navigating to https://nexus.yourdomain.com in your browser.

Final Security Tip: Restrict Direct Access

For a truly secure setup, configure your firewall to block public access to Nexus on port 8081. The only entry point should be through Apache on ports 80 and 443. This prevents attackers from bypassing your Apache proxy and targeting the Nexus application server directly.

On a Linux server using ufw (Uncomplicated Firewall), the commands would look like this:

# Allow Apache traffic
sudo ufw allow 'Apache Full'

# Deny all incoming traffic to port 8081
sudo ufw deny 8081

# Make sure the firewall is enabled
sudo ufw enable

By following these steps, you have successfully fortified your Nexus Repository, placing it behind a robust and secure Apache reverse proxy. This professional configuration protects your software supply chain and provides a seamless experience for your development teams.

Source: https://kifarunix.com/run-nexus-repository-manager-behind-apache-reverse-proxy/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket