Nexus with SSL\TLS and Nginx Rev-Proxy over Docker

Linkedin: https://www.linkedin.com/in/shashanksharma-devops/ Twitter: https://twitter.com/shankysharma86 GitHub Repo: https://github.com/shankysharma86/nginx-nexus-docker.git In today's video we will cover the Nexus3 repository with Nginx serving as reverse-proxy to the Nexus and holding SSL certificate. This is one of the famous architecture and yet I have to go through several blogs and technical writeups to get this thing implemented. That gave me a thought that may be i have to come up with a solution which is easier to implement. So this is our architecture and flow where we will spin Nginx, Nexus3 Docker containers. At the front it is going to be nginx container which is holding the SSL certificate to ensure our Nexus3 repo is accessible over secure protocol (HTTPS) and then we will create docker registries, proxy as-well-as hosted. Proxy repo will be backed by Docker, so any pull requests that is being made to Docker proxy registry will further be catered by Docker Hub if requested docker image is missing in Proxy. Alright, so in summary goal is to spin Nexus repo Docker container with SSL certificates and to implement docker proxy and hosted Registries into Nexus3. From learning perspective we will learn openssl, generation of self-signed certificates. Now good news is that for step 1,2 & 3 I have prepared an automation for you, but even better news is that we will take a deeper look at the automation so in case you need, you can modify it according to your requirements. Alright, so switching over to the GitHub repository to take a look at the automation. Here we have NginX folder that contains Dockerfile and nginx.conf file, and then we have scripts folder where we can find the shell scripts and finally the docker compose yaml file. So lets take a look at the script folder and the nexusnginxproxy shell script. At Line 4 openssl is generating the root key, so here we are assuming that in our system we don't have root certificate already, therefore, we are going to generate the root key at Line 4, and then in line number 7 we are generating the root certificate with a few details like in what geographic region you are creating this cert and setting CN as local certificate, validity of our root certificate in days etc. if you notice, all certs are going to certs directory. Now at line 10 and 16 we are taking decision if operating system type is Linux or Mac OS. Depending on Operating System, we are executing steps to add the root certificate trusted root into our machine. Now, at line 27 and 28 we are generating private key and Certificate for our Nexus repository. Again, for your notice certificates are going to certs directory. and we are giving specific information such as DNS localhost, Validity of certificate, Subject Alt Name etc. Alright, so we have added root certificate as a trusted certificate in our machine and also we have generated the Nexus private key as well as Nexus certificate. After this, we are changing our current directory to nginx to copy the certs into docker context where we will create an image from Nginx. And at last we are executing docker compose to bring our Nginx and Nexus3 containers up and in running state. Now moving to Nginx directory, we see Dockerfile and Nginx configuration file. Looking at Dockerfile, here we are building our image from Nginx Alpine and then making a directory inside this image and then on top of that we are copying Nexus private key and certificate and finally copying our configuration file for Nginx server. Looking at configuration file, inside http tag we set the SSL as ON so Nginx can accept https requests, then we have set SSLcertificate and SSLCertificateKey value as absolute path within the container. If you remember, we have provided this same path in Dockerfile for the certificate and private key. Now we quickly scroll down, here nginx server is listening at 443 port and then we are setting proxypass as HTTP Nexus-repo to port 8081 (port 8081 is default port used by Nexus). So basically, nginx is set to listen at 443 and any http request at 443 is set to redirect ect to Nexus-repo:8081. Nexus-repo is going to be our container name for Nexus3 repository and similarly when server will listen on port numbers 6666 it will redirect request to Nexus container port number 5555 and requests on 7777 will be redirected to 4444. It is important that we keep HTTP_host as proxy set header whenever you create the docker registry.