Can't pull from Nexus behind nginx - HTTP response to HTTPS client

General
,
1

I’m having trouble puling from a nexus hosted docker repository (“my-repo”) directly on rhel9 behind nginx which is configured to listen on 443 with ssl, servername my-repo.my-domain[dot]com

This is my nginx.conf:


user nginx;
worker processes auto;
error log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
	worker_connections 1024;
}

http {
	proxy_send_timeout 120;
	proxy_read_timeout 300;
	proxy_buffering off;
	keepalive_timeout 5 5;
	tcp_nodelay		on;

}
server {
    listen 443 ssl;
    server_name my-repo.my-domain.com;

    ssl_certificate /etc/pki/tls/certs/my-repo.my-domain[dot]com.crt;
    ssl_certificate_key /etc/pki/tls/private/my-repo.my-domain[dot]com.key;

    # General proxy for the Nexus web interface
    location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Proxy for Docker registry API (v2)
    location /v2/ {
        proxy_pass http://127.0.0.1:8081/repository/repo/;  #this was set according to repo path in webinterface
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection keep-alive; 
    }
}

and this is my nexus.properties:

nexus-host=0.0.0.0
nexus.http.port=8081
nexus.https.port=

(I previously tried with just nexus-host=0.0.0.0 and nexus.port=8081 with similar results)

Certs from our CA were generated and are in /etc/pki/tls/certs/my-repo.my-domain.com.crt
and /etc/pki/tls/private/my-repo.my-domain.com.key

Anonymous pull is enabled.
I can browse to the webinterface of the repo at its server name and log in.

I can docker log into the repo via docker login my-repo.my-domain[dot]com.

However, trying to pull an image with just “docker pull my-repo.my-domain[dot]com/ubuntu” results in pulling the html displayed when browsing to the repo path in a webbrowser.
Same if I add the full path /repository/repo/ubuntu.
If I include port 8081 and pull from my-repo.my-domain[dot]com:8081/ubuntu (or :8081/repository/repo/ubuntu) it errors with:
Error response from daemon: http: server gave HTTP response to HTTPS client

I noticed the repo path in the webinterface includes https, even on newly created repos; is that expected? My nginx.conf is still using http, if I change to https I get error 502 instead.

firewalld on the system is disabled, and selinux temporarily set to permissive.

The docker client attempting to connect is on a different machine (wsl2 on win11) and can pull from the official repos without issue.

It’s my first time working with docker, nginx and nexus, so I’m a bit lost on where to continue looking.

2

I guess the missing bits can be found in the official documentation:
https://help.sonatype.com/en/docker-repository-reverse-proxy-strategies.html#nginx-host-mapping-reverse-proxy-example

Note: I don’t use Nexus, I can’t answer any questions about it, or reverse proxy configurations it requires.

3

Understandable, I appreciate it.

I realized I had misunderstood the config, as this repo would not automatically pull official images anyway (that’d require a working proxy repository).

So instead, I’m now trying to push an image to the repo first. Initially with the link given for the repository in the webinterface, I ran into 404 errors. It seems I need to modify the path to include /v2/ to match the mapping done by nginx.
So: docker push my-repo.my-domain.com/v2/repository/repo/ubuntu
finds a repo.
…however doing that leads me to the next issue;

The push refers to repository [my-repo.my-domain.com/v2/repository/repo]
687d59f2f6a6: Preparing
unauthorized: access to the requested resource is not authorized

So I tried logging into the repo first, both at / and /v2/, but neither a test user with the explicit permissions nor the full premade admin user get past this error.
I also noticed that I can just put in any credentials, and docker will report “Login Succeeded”… that doesn’t seem quite right to me either.