A while back I wrote a short blog article on how to setup your own Nexus Repository. By default the Nexus Repository is presented over HTTP, from the beginning I wanted to present this to clients as HTTPS. My initial idea was to use NGINX; however lately I have been playing around a lot with NSX-ALB (Avi) and decided to use it for my Reverse Proxy requirements.
I already have Avi installed for my Tanzu Kubernetes Grid environments. Some official documentation on how to install Avi in relation to Tanzu Kubernetes Grid can be found here. However Avi can also be used with other environments than VMware, see the official Avi documentation here.
Additionally you can take a look at some blogposts here.
So let’s dive into it!
Basically we want to create a new Application (Virtual Service) in the Avi Environment. For this Virtual Service (Application / VS) we need the following Details:
|Nexus Repository Manager UI||10.10.30.35:8081 (HTTP)|
|Docker Repository on Nexus Repository Manager||10.10.30.35:5000 (HTTP)|
|Avi Virtual Service VIP Network||AVI – FrontEnd 60|
|Avi Virtual Service VIP IPv4 Subnet||10.10.60.0/24|
|Avi DNS Zone||avi.potus.local|
|Avi Virtual Service Ports (Ports on which the Avi VIP listens)||443 (HTTPS), 5000 (HTTPS)|
|Port Mapping||443 –> 8081|
5000 –> 5000
|Avi Virtual Service Certificate||Self Signed|
As you can see from the table above: my Avi is configured with an Internal IPAM range (so Avi is responsible for the IP Addresses) and a DNS Zone (Avi itself is responsible for the subdomain ‘avi.potus.local’). It’s worth noting that Avi can integrate with existing IPAM solutions such as Infoblox and also with existing DNS Solutions using REST API for example.
What do we want to achieve?
Present the Nexus Repository Environment over HTTPS instead of HTTP. According to the official Nexus Repository Documentation we can achieve this by doing one of the following:
- Reverse Proxy with SSL Offloading / Termination on the Avi Load Balancer
- Or Setup Nexus Repository itself to use HTTPS
We will be creating a Load Balancer on the Avi with an SSL Certificate so that the Client traffic towards the Load Balancer is HTTPS. The Load Balancer itself will talk to the backend servers over regular HTTP since our Nexus Repository is still officially only presenting HTTP.
Visually it means we will be doing this:
1. Browse to your Avi’s Website and login
2. Go to the ‘Applications‘ view and select ‘create virtual service‘ on the top right of your page and select ‘Advanced Setup‘:
|A||Give your Virtual Service (VS) a Name (e.g.: potus-nexusrepo)|
|B||Make sure that you Enable the VS|
|C||Enable the Traffic on your VS|
|D||If you want to Auto Allocate your VS’s VIP, select this Checkbox|
|E||And select the Network from where to Auto Allocate the IP from|
|F||And the Network Range where the IP should originate from|
|G||Make sure your application gets a DNS record|
|H||Select the default ‘System-TCP-Proxy‘ Profile|
|I||Select the ‘System-Secure-HTTP‘ profile|
4. Scroll down to the next section and fill in the required details:
|A||Set the Port for this Virtual Service to ‘443‘|
|B||Enable ‘SSL‘ on the port|
|C||Make sure to select ‘Pool‘|
|D||Click the ‘edit pencil‘ to create our ‘Pool of Backend Servers‘ where this VS should route the traffic to|
5. Let’s create our ‘Pool of Backend (Nexus Repository) Servers‘ for this Virtual Service:
|A||Enter a name for your Pool of Backend Servers (Nexus Repository Servers)|
|B||Make sure that the Pool is Enabled|
|C||Enter the Default Server Port of your Backend Server (in our case 8081)|
|D||Choose your preferred Load Balance method (Least Connections)|
|E||Enable Passive Health Monitoring|
|F||Enter the number of Health Monitors that should be ok to consider the server ‘up’ (1)|
|G||Choose your ‘System-TCP‘ as your Health Check to have Avi monitor for our 8081 Port|
|H||Select ‘System-Persistence-Client-IP‘ as your Persistence Profile|
|I||Choose the default ‘System-Analytics-Profile‘|
|J||Enable Real Time Metrics and Disable ‘Rewrite Host Header to Server Name’|
|K||Disable / Uncheck ‘Enable SSL’ since our Avi LB will communicate with our Nexus over 8081 HTTP|
6. Click Next to add our Servers into the Avi Pool:
|A||Enter the IP address of our Nexus Repository Server + the Port|
|B||Click ‘Add Server’|
7. Your List of Servers in the Avi Pool should now look like this:
9. Click Save on the bottom right of your screen
10. You should now see your newly created Pool show up under the ‘Pool‘ section of your new Virtual Service:
11. Let’s configure the Certificate on the Virtual Service VIP:
|A||Select the ‘System-Standard’ SSL Profile for now|
|B||Click the ‘edit’ pencil to upload your Certificate|
12. Upload your Certificate in your desired way (Copy/Paste or Upload File) and click ‘Save’
13. Make sure that only your certificate is shown here
15. Looking for the VIP address of your Virtual Service? Go to ‘Applications‘ – ‘Virtual Services‘ and you’ll see your IP address listed there:
16. Let’s “HTTPS Browse to it, right?” https://YOUR-VIP
You’ve now successfully created a Reverse Proxy for your Nexus Repository with SSL Termination on the Load Balancer 🙂
You’re probably wondering “what about your Docker Repo on port 5000”? Well, Avi has this cool feature where you can present multiple Applications (Virtual Services) behind a single VIP. So all we have to do is create a new Application (Virtual Service) for our Docker Repo and make sure we select our existing Nexus Repository Virtual Service we just created earlier. I’ll cover that in another blog post.
If you have any comments or questions, don’t hesitate to reach out!