Nexus Repository 3 behind Avi (NSX-ALB) Reverse Proxy


A while back I wrote a short blog article on how to setup your own Nexus Repository. By default the Nexus Repository is presented over HTTP, from the beginning I wanted to present this to clients as HTTPS. My initial idea was to use NGINX; however lately I have been playing around a lot with NSX-ALB (Avi) and decided to use it for my Reverse Proxy requirements.

I already have Avi installed for my Tanzu Kubernetes Grid environments. Some official documentation on how to install Avi in relation to Tanzu Kubernetes Grid can be found here. However Avi can also be used with other environments than VMware, see the official Avi documentation here.
Additionally you can take a look at some blogposts here.

So let’s dive into it!

My Environment

Basically we want to create a new Application (Virtual Service) in the Avi Environment. For this Virtual Service (Application / VS) we need the following Details:

Nexus Repository Manager UI10.10.30.35:8081 (HTTP)
Docker Repository on Nexus Repository Manager10.10.30.35:5000 (HTTP)
Avi Controller10.10.30.180
Avi Virtual Service VIP NetworkAVI – FrontEnd 60
Avi Virtual Service VIP IPv4 Subnet10.10.60.0/24
Avi DNS Zoneavi.potus.local
Avi Virtual Service Ports (Ports on which the Avi VIP listens)443 (HTTPS), 5000 (HTTPS)
Port Mapping443 –> 8081
5000 –> 5000
Avi Virtual Service CertificateSelf Signed

As you can see from the table above: my Avi is configured with an Internal IPAM range (so Avi is responsible for the IP Addresses) and a DNS Zone (Avi itself is responsible for the subdomain ‘avi.potus.local’). It’s worth noting that Avi can integrate with existing IPAM solutions such as Infoblox and also with existing DNS Solutions using REST API for example.

What do we want to achieve?

Present the Nexus Repository Environment over HTTPS instead of HTTP. According to the official Nexus Repository Documentation we can achieve this by doing one of the following:

  • Reverse Proxy with SSL Offloading / Termination on the Avi Load Balancer
  • Or Setup Nexus Repository itself to use HTTPS

We will be creating a Load Balancer on the Avi with an SSL Certificate so that the Client traffic towards the Load Balancer is HTTPS. The Load Balancer itself will talk to the backend servers over regular HTTP since our Nexus Repository is still officially only presenting HTTP.

Visually it means we will be doing this:

Avi Configuration

1. Browse to your Avi’s Website and login
2. Go to the ‘Applications‘ view and select ‘create virtual service‘ on the top right of your page and select ‘Advanced Setup‘:

3. Fill in the necessary details as shown below:
AGive your Virtual Service (VS) a Name (e.g.: potus-nexusrepo)
BMake sure that you Enable the VS
CEnable the Traffic on your VS
DIf you want to Auto Allocate your VS’s VIP, select this Checkbox
EAnd select the Network from where to Auto Allocate the IP from
FAnd the Network Range where the IP should originate from
GMake sure your application gets a DNS record
HSelect the default ‘System-TCP-Proxy‘ Profile
ISelect the ‘System-Secure-HTTP‘ profile

4. Scroll down to the next section and fill in the required details:

ASet the Port for this Virtual Service to ‘443
BEnableSSL‘ on the port
CMake sure to selectPool
DClick the ‘edit pencil‘ to create our ‘Pool of Backend Servers‘ where this VS should route the traffic to

5. Let’s create our ‘Pool of Backend (Nexus Repository) Servers‘ for this Virtual Service:

AEnter a name for your Pool of Backend Servers (Nexus Repository Servers)
BMake sure that the Pool is Enabled
CEnter the Default Server Port of your Backend Server (in our case 8081)
DChoose your preferred Load Balance method (Least Connections)
EEnable Passive Health Monitoring
FEnter the number of Health Monitors that should be ok to consider the server ‘up’ (1)
GChoose your ‘System-TCP‘ as your Health Check to have Avi monitor for our 8081 Port
HSelectSystem-Persistence-Client-IP‘ as your Persistence Profile
IChoose the defaultSystem-Analytics-Profile
JEnable Real Time Metrics and Disable ‘Rewrite Host Header to Server Name’
KDisable / Uncheck ‘Enable SSL’ since our Avi LB will communicate with our Nexus over 8081 HTTP

6. Click Next to add our Servers into the Avi Pool:

AEnter the IP address of our Nexus Repository Server + the Port
BClick ‘Add Server’

7. Your List of Servers in the Avi Pool should now look like this:

8. Click Next & leave all the ‘Advanced‘ on Defaults for now

9. Click Save on the bottom right of your screen

10. You should now see your newly created Pool show up under the ‘Pool‘ section of your new Virtual Service:

11. Let’s configure the Certificate on the Virtual Service VIP:

ASelect the ‘System-Standard’ SSL Profile for now
BClick the ‘edit’ pencil to upload your Certificate

12. Upload your Certificate in your desired way (Copy/Paste or Upload File) and click ‘Save’

13. Make sure that only your certificate is shown here

14. We’re almost ready! Just click ‘Next‘ a couple of times, leave everything at their defaults and click ‘Save‘ in the end. You should now see your Virtual Service show up. Click on it to view its details:

15. Looking for the VIP address of your Virtual Service? Go to ‘Applications‘ – ‘Virtual Services‘ and you’ll see your IP address listed there:

16. Let’s “HTTPS Browse to it, right?” https://YOUR-VIP

You’ve now successfully created a Reverse Proxy for your Nexus Repository with SSL Termination on the Load Balancer 🙂

You’re probably wondering “what about your Docker Repo on port 5000”? Well, Avi has this cool feature where you can present multiple Applications (Virtual Services) behind a single VIP. So all we have to do is create a new Application (Virtual Service) for our Docker Repo and make sure we select our existing Nexus Repository Virtual Service we just created earlier. I’ll cover that in another blog post.

If you have any comments or questions, don’t hesitate to reach out!

2 thoughts on “Nexus Repository 3 behind Avi (NSX-ALB) Reverse Proxy

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s