Is it possible to accept anonymous access only from a private network?

we are using nexus3 to host build artifacts. We want to use nexus to provide these artifacts to our customers. We are now facing a problem: currently nexus accepts unauthenticated (anonymous) requests (the actual setup is a bit more complicated). We do not want to change this, since this is a huge relief for the developers. However this would be unacceptable when requested from outside our vpn.

Is it generally possible to accept anonymous request only from a specific network interface, ip address range or protocol (http vs https)?

If not what are best practices to secure access from the internet while giving anonymous access to a private network?

There is no way to do what you are suggesting from nxrm directly, but perhaps you could make use of RUT auth to automatically log in connections from your private network as a particular user somehow? RUT auth looks for a header that contains the username to use, which could be your anonymous user Authentication via Remote User Token. Basically you could intercept requests from your private network (via nginx or similar) then add the request header for a “developer user” and log them in so they don’t have to manually login. Once that’s working you can just disable anonymous access. The downside to this approach is that if someone knows the header name you are using, they can skip all authentication and log themselves in as any user by passing whatever header they wish, but you could probably configure nginx to strip off that header from being passed in manually.

Thank you, that is a nice possibility we will definitively look into.