NEXUS OSS 2-14-18 Reverse Proxy + F5 Load Balancer

Sonatype Nexus Repository
1

Sonatype Support Community,
Hello and good morning.
I am please looking for advice on something very specific.
Concerns F5 Load Balancer + APACHE REVERSE PROXY + NEXUS 0SS.
Thanks to anyone who can offer advice.
Thanks in advance.
John Dove

SEE BELOW, 1-3

########
######## 1 – BACKGROUND
########

My name is John Dove.
I work for New York State (John.Dove@its.ny.gov).
I am building a NEXUS OSS "test environment"
TEST environment only.
Using:

	Nexus OSS 2-14-18-01,
	Apache Web Server 2.4.6,
	F5 Load Balancer (industry technology)


I have CORRECTLY installed Nexus OSS.
I have CORRECTLY installed Apache Web Server.
I am running both of them on the same Linux machine: "Redhat Enterprise Linux 7.8 (Maipo)"
This Linux machine is very powerful:
	62 GB RAM, 
	32 CPUs,
	dedicated "nexus" user for running Nexus as service via SYSTEMD init manager,
	extended the # of open file handles allowed for "nexus" user,
	Java 1.8

########
######## 2 – THE PROBLEM
########

"client browser -> F5 Load Balancer -> Apache HTTP (reverse proxy) -> Nexus"

Notice the F5 Load Balancer.

########
######## 3 – TESTING RESULTS
########

THESE WORK SUCCESSFULLY

	"client browser  to->  Nexus" directly
	"client browser  to->  Apache HTTP (reverse proxy)  to->  Nexus"

	I have read sonatype online docs on Reverse Proxy setup.
	I believe I have setup apache rev. proxy successfully.
	NO virtual host; just a simple Location element with proxpass/proxypassreverse.
	** SEE  johndove__HTTPD.CONF_revProxy_used.PNG



AND THIS FAILS, using F5 Load Balancer for hitting nexus:   https://pscnexus-test.its.ny.gov/nexus/

	"client browser -> ***F5 Load Balancer*** -> Apache HTTP (reverse proxy) -> Nexus"

	NEXUS web page shows empty fields in all **repository configuration** screens.
	NEXUS cannot identify its own repositories.
	NEXUS appears to stop working internally.
	NEXUS logs show NO errors.
	** SEE:  fails__browser__pic1.PNG
	** SEE:  fails__browser__pic2.PNG

	Apache ERROR_LOG

	[Wed Nov 04 13:24:32.327219 2020] [proxy_http:error] [pid 27705] (70007)
	The timeout specified has expired: [client 10.77.62.60:17598]                
	AH01102: error reading status line from remote server 10.108.189.135:8081,    <==== nexus
	referer: https://pscnexus-test.its.ny.gov/nexus/                             <====  F5 Loadbalancer URL

	[Wed Nov 04 13:24:32.327482 2020] [proxy:error] [pid 27705] [client 10.77.62.60:17598]
	AH00898: Error reading from remote server returned by /nexus/service/local/lvo/nexus-oss/2.14.18-01, 
	referer: https://pscnexus-test.its.ny.gov/nexus/       <====  F5 VIP URL
2

None of your images are present… but did you set: RequestHeader set X-Forwarded-Proto “https”

That will be needed if SSL is terminated in apache.

3

Hi Rich,

Thanks for the reply.

See below, 1-3.

~ John

1

We reduced the problem:

Apache (Reverse Proxy) has been completely removed from the equation.

F5 VIP is pointing directly at NEXUS Jetty 8081.

Still seeing same connectivity problems.

This looks like a VIP only problem.

I will work with F5 VIP team on my side.

I will keep the SONATYPE COMMUNITY online thread updated too.

2

For your own reference. What I am seeing. See attached.

LOGS are from /nexus/sonatypework/nexus.logs

http://links.sonatype.com:80 ERRORS since the NYS FIREWALL is blocking them – FYI – expected.

3

FYI

F5 VIP takes incoming HTTPS requests and forwards them as pure HTTP.

So when Apache got the requests, the request were already pure HTTP.

Unsure if X-Forwarded-Proto is needed?

john_dove_VIP_ACCESS_direct_to_NEXUS.png
john_dove_VIP_ACCESS_direct_to_NEXUS.png1289×1008 90.7 KB

john_dove_VIP_ACCESS_direct_to_NEXUS__empty_fields.png
john_dove_VIP_ACCESS_direct_to_NEXUS__empty_fields.png1203×1008 98.7 KB

(Attachment nexus.log is missing)

(Attachment request.log is missing)

4

F5 VIP takes incoming HTTPS requests and forwards them as pure HTTP.

So when Apache got the requests, the request were already pure HTTP.

Unsure if X-Forwarded-Proto is needed?

Yes, it is needed. Without that, URL’s returned from Nexus Repo will not have the correct http protocol. You’ll need to configure F5 to send that header.

Rich

5

Ok.

Thanks, Rich.

I’ll mention that to the F5 team.

Thanks.

6

I just wanted to say thanks for the quick help on this, Rich.
Glad this community is here.
Appreciated.

Spoke with the F5 Team on my side… in their court now.
They are aware of the X-FORWARDED setting.
Will keep this thread updated for awareness (good or bad).
Assuming I should be good at this point.

Thanks again.
~ John Dove