Nexus OSS insists on combining http with 443 port

Hi community,

Nexus insists on repository url http://my.domain:443 which is obviously wrong because TLS endpoint expects hand-shaking dance while the client request starts plain HTTP.

Before I get into boring details, does anybody know how to enforce correct repository URL? Any of “http” → “https” or port removal would help (and work).

I tried:

  • Base URL Capability (but that’s only for emails, otherwise completely ignored)
  • X-Forward-Proto: “https” , but that’s obviously not going to help with new requests
  • enforcing https in the Nexus configuration (even removing http listener) did not change anything

Setup:

It affects all repositories, but (it seems that) only NPM is seriously affected due to the metadata response from the repository which insists on packages located at the repository url using wrong protocol:port combination http://my.domain:443/repository/npm./../artifact.tgz :frowning:

Any ideas anybody, please? :wink:

UPDATE1: The problem affects also fresh installations!
UPDATE2: Using ALB instead of nginx-ingress (with whatever ELB in front of it) makes Nexus deduce correct URL (https://my.domain/). But that costs us extra load balancer…

  • X-Forward-Proto: “https” , but that’s obviously not going to help with new requests

That is the correct solution. It will work for new requests, because it is an inbound header.

See here for examples:

https://help.sonatype.com/display/NXRM3/Run+Behind+a+Reverse+Proxy#RunBehindaReverseProxy-Example:ReverseProxySSLTerminationatBasePath

Rich

It does not help because NPM repository insists on the wrong URL. Npm@6 does not care and use the configured repository URL (that was our temporary workaround) but Npm@8 uses the repository URL just for contacting the server and then resolves packages to the wrong URL which reports Nexus (http://domain:443) and which is unreachable.

The request header does not change the server response.

If it would help I would not report it and ask for help, but thanks for your reply anyway :wink: If it is possible, please try it and you will see the situation is unresolvable unless there is a way to change the URL reported by Nexus.

I figured it out and @rseddon was right. I previously tried only the “X-Forward-Proto” which didn’t help at that time for some reason. After I had a working workaround with ALB I gave it another try with few adjustments and here is a working configuration (it might work even without upgrading to the latest ingress-nginx, I just wanted to rule out anything related to the outdated ingress-nginx).

  1. ingress-nginx update to the latest version which still supports k8s 1.21: ingress-nginx/deploy.yaml at controller-v1.3.1 · kubernetes/ingress-nginx · GitHub
  2. Nexus Helm values with nginx annotations transformed from NXRM3/Run+Behind+a+Reverse+Proxy into configuration snippet as follows
---
ingress:
  enabled: true
  ingressClassName: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "Host: $host";
      more_set_headers "X-Real-IP: $remote_addr";
      more_set_headers "X-Forwarded-For: $proxy_add_x_forwarded_for";
      more_set_headers "X-Forwarded-Proto: \"https\"";
  hostPath: /

Nexus repositories now show correct URL as expected.