Nexus Docker Hub Proxy help needed

thomas.jordan · April 25, 2025, 1:05pm

Hi,
I’m having trouble getting Nexus Docker Hub proxy to work. I have successfully created proxies in Nexus previously for apt, yum and pypi repositories without any difficulty but am struggling with this one. My Nexus instance runs on a dedicated server VM on port 8083. I have configured the docker-hub proxy using the Nexus web GUI exactly as per ‘minimal’ guidance in Proxy Repository for Docker and called it docker-hub-proxy. This creates a proxy which I can see in Nexus with address http://<MY_NEXUS_SERVER>:8083/repository/docker-hub-proxy/ and which is shown as ‘online’. I left all other configuration options not mentioned in Proxy Repository for Docker to their default values (haven’t configured any connectors etc.).

On my client host I have then added in /etc/docker/daemon.json an insecure-registries and registry-mirrors entry

{
"insecure-registries": ["<MY_NEXUS_SERVER>:8083"],
"registry-mirrors": ["http://<MY_NEXUS_SERVER>:8083"]
}

and restarted the docker daemon after which I can see the entries have been created for insecure-registries and registry-mirrors when I run docker info on the client machine.

I then try and run e.g.,

docker pull <MY_NEXUS_SERVER>:8083/hello-world

but it doesn’t succeed.

Running sudo journalctl -fu docker whilst doing this I can see that the client docker daemon first tries to pull the image from https::<MY_NEXUS_SERVER>:8083, which fails with error message ‘http: server gave HTTP response to HTTPS client’. It then tries to pull from http::<MY_NEXUS_SERVER>:8083, but then just hangs.

I’d really appreciate some help. I am running Sonatype Nexus Repository COMMUNITY 3.78.1-02 (using the Docker image provided by Sonatype) on an Ubuntu 22.04 VM and an Ubuntu 22.04 docker client.

rseddon · April 27, 2025, 3:55pm

Docker assumes remote registries are running https. Since you haven’t set up https yet try adding “—insecure-registry” flag to the docker pull command.

thomas.jordan · April 28, 2025, 1:14pm

Thanks a lot. However, I already have an entry for the insecure-registry in the daemon.json file. I tried what you suggeted but if I run dockerd pull --insecure-registry, I see exactly the same failure as I described in the initial post, when I configured the insecure-registries element in the daemon.json. In fact, it first complained that the --insecure-registry option was duplicating/conflicting with the entry in the daemon.json file so I had to temporarily rename the latter. So it seems that --insecure-registry option to dockerd command is just an alternative way of doing the same thing as was already being set in the daemon.json file and doesn’t fix the problem. Unfortunately I’m still not any further forward.

thomas.jordan · May 2, 2025, 8:19am

Hi,
Can anyone else help with this?

Thanks!

thomas.jordan · May 20, 2025, 3:26pm

Hi, Rich,
I’ve just come back to this again and am still struggling (despite having tried to read through the Nexus documentation about repository connectors, reverse proxies etc. in https://support.sonatype.com/hc/en-us/articles/115013153887-Docker-Repository-Configuration-and-Client-Connection#Auth and [SSL and Repository Connector Configuration](SSL and Repository Connector Configuration etc.),

So I was wondering if you could help me.

The URL of my Nexus server is http://<MY_NEXUS_SERVER>:8083

FWIW, I have previously successfully created apt, PyPI and yum proxy repositories in Nexus, which have respectively URLs:

http://<MY_NEXUS_SERVER>:8083/repository/ubuntu-noble-proxy/

http://<MY_NEXUS_SERVER>:8083/repository/pypi-proxy

http://<MY_NEXUS_SERVER>:8083/repository/yum-proxy/

That was straightforward and these proxies all work fine. I just had to edit the relevant client configuration files as per the suggestions in the Nexus online documentation, for these proxy repository types, to point them at these URLs. It all worked pretty much out of the box first time, which was great!

Now for Docker the URL of my proxy repository in Nexus is http://<MY_NEXUS_SERVER>:8083/repository/docker-hub-proxy/

I haven’t created any repository connectors, and all of the other configuration options I have just left as default too.

In my /etc/docker/daemon.json on my Ubuntu 24.04 client VM, I just have an entry

{ "insecure-registries": ["<MY_NEXUS_SERVER>:8083"], }

that is I have set the insecure registry address:port to be the same as Nexus host address:port and when I run docker info I see

 Insecure Registries:
  srv-uv-nexus.mac.local:8083

I am not using a reverse proxy, or anything else. There is basically just Docker on my client VM trying to talk to the Nexus on another VM.

I just try to run docker as follows:

docker pull <MY_NEXUS_SERVER>:8083/hello-world

which fails. However, I’m not even sure that this address makes sense (since full URL of repository is http://<MY_NEXUS_SERVER>:8083/repository/docker-hub-proxy/), or if I have set things up correctly.

I read that Docker does not support the use of a context to specify the path to the repository, which suggests that you might need to use a connector with a reverse proxy to get around the context in the Nexus proxy URL. Is that in fact the case? The Nexus/Docker documentation seems to present many different alternatives and to be honest is a little confusing, when I really just want to start simple, with the simplest set up I can have out of the box, ideally just using the proxy as an insecure registry as I’ve tried to.

Is there not a way to get this working for Docker, without having to configure connectors and consider/understand all the options in https://support.sonatype.com/hc/en-us/articles/115013153887-Docker-Repository-Configuration-and-Client-Connection#Auth , for example.

Cheers,
Tom

mpiggott · May 20, 2025, 7:48pm

Hi, for your Docker repository in Nexus you should set the connector port in the repository configuration. Then when using Docker to access Nexus you would need to use the port defined in the configuration.

Historically Docker did not support registries which were not at the root (/) of the server so one of our solutions is to allow users to expose a repository on a particular port.

thomas.jordan · May 21, 2025, 2:15pm

Thank you very much. That makes sense and I have that configuration now. I think the documentation is a little confusing/incomplete, if you want a setup as simple as this.

Unfortunately, having got to this stage, I now discover that the Nexus Docker repositories feature is currently broken as per issue https://github.com/sonatype/nexus-public/issues/565 and I too see the unsupported protocol scheme "null" problem reported in the ticket.

Bit of a show stopper as I can’t roll back to the earlier tag before the problem was introduced because of database incompatibility. Ah well, I’ll look forward to the fix release in June!

Thanks again for your help, it is much appreciated.

thomas.jordan · May 22, 2025, 2:36pm

I created a temporary Nexus server container from version 3.76-1 image (isolated from our production Nexus server container on different ports and with a different name and volume) just to test whether my DockerHub proxy configuration works and it does, which is great news for me. However, it would be really good to have the fix for Docker proxy in a new Nexus image release very soon.