Can't pull from Nexus behind nginx - HTTP response to HTTPS client

I’m having trouble puling from a nexus hosted docker repository (“my-repo”) directly on rhel9 behind nginx which is configured to listen on 443 with ssl, servername my-repo.my-domain[dot]com

This is my nginx.conf:


user nginx;
worker processes auto;
error log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
	worker_connections 1024;
}

http {
	proxy_send_timeout 120;
	proxy_read_timeout 300;
	proxy_buffering off;
	keepalive_timeout 5 5;
	tcp_nodelay		on;

}
server {
    listen 443 ssl;
    server_name my-repo.my-domain.com;

    ssl_certificate /etc/pki/tls/certs/my-repo.my-domain[dot]com.crt;
    ssl_certificate_key /etc/pki/tls/private/my-repo.my-domain[dot]com.key;

    # General proxy for the Nexus web interface
    location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Proxy for Docker registry API (v2)
    location /v2/ {
        proxy_pass http://127.0.0.1:8081/repository/repo/;  #this was set according to repo path in webinterface
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection keep-alive; 
    }
}

and this is my nexus.properties:

nexus-host=0.0.0.0
nexus.http.port=8081
nexus.https.port=

(I previously tried with just nexus-host=0.0.0.0 and nexus.port=8081 with similar results)

Certs from our CA were generated and are in /etc/pki/tls/certs/my-repo.my-domain.com.crt
and /etc/pki/tls/private/my-repo.my-domain.com.key

Anonymous pull is enabled.
I can browse to the webinterface of the repo at its server name and log in.

I can docker log into the repo via docker login my-repo.my-domain[dot]com.

However, trying to pull an image with just “docker pull my-repo.my-domain[dot]com/ubuntu” results in pulling the html displayed when browsing to the repo path in a webbrowser.
Same if I add the full path /repository/repo/ubuntu.
If I include port 8081 and pull from my-repo.my-domain[dot]com:8081/ubuntu (or :8081/repository/repo/ubuntu) it errors with:
Error response from daemon: http: server gave HTTP response to HTTPS client

I noticed the repo path in the webinterface includes https, even on newly created repos; is that expected? My nginx.conf is still using http, if I change to https I get error 502 instead.

firewalld on the system is disabled, and selinux temporarily set to permissive.

The docker client attempting to connect is on a different machine (wsl2 on win11) and can pull from the official repos without issue.

It’s my first time working with docker, nginx and nexus, so I’m a bit lost on where to continue looking.

I guess the missing bits can be found in the official documentation:
https://help.sonatype.com/en/docker-repository-reverse-proxy-strategies.html#nginx-host-mapping-reverse-proxy-example

Note: I don’t use Nexus, I can’t answer any questions about it, or reverse proxy configurations it requires.

Understandable, I appreciate it.

I realized I had misunderstood the config, as this repo would not automatically pull official images anyway (that’d require a working proxy repository).

So instead, I’m now trying to push an image to the repo first. Initially with the link given for the repository in the webinterface, I ran into 404 errors. It seems I need to modify the path to include /v2/ to match the mapping done by nginx.
So: docker push my-repo.my-domain.com/v2/repository/repo/ubuntu
finds a repo.
…however doing that leads me to the next issue;

The push refers to repository [my-repo.my-domain.com/v2/repository/repo]
687d59f2f6a6: Preparing
unauthorized: access to the requested resource is not authorized

So I tried logging into the repo first, both at / and /v2/, but neither a test user with the explicit permissions nor the full premade admin user get past this error.
I also noticed that I can just put in any credentials, and docker will report “Login Succeeded”… that doesn’t seem quite right to me either.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.