The Nexus documentation provides steps for configuring Nexus Repository to run behind a reverse proxy. The information below will help you configure an IIS server to act as a reverse proxy server.
- On your reverse proxy server, install IIS, URL Rewrite and Application Request Routing following the product documentation
- Using the IIS Manager console, select the Default Web Site and open URL Rewrite.
- Use URL Rewrite to create your inbound rule. If a Rewrite Rule has been created automatically you may be able to just add the headers in the next step. If you prefer to create a new Rewrite Rule, from the Actions pane, select the Add Rule… template and create a new Reverse Proxy rule. Click OK to enable proxy functionality if you are prompted. Choose a name for your Inbound Rule and click OK.
- Create server variables for the HTTP headers. In the Actions pane, click View Server Variables. Add the following variables:
HTTP_X_FORWARDED_HOST
HTTP_X_FORWARDED_PROTO
then click Back to Rules. - Set values for the server variables in your inbound rule. Highlight the Inbound rule and click Edit. Under Server Variables click Add. Select the server variable names from the drop down and assign the following values:
HTTP_X_FORWARDED_HOST should contain the domain name and (optionally) port of the original host requested by the client HTTP_X_FORWARDED_PROTO should be https if your IIS server is configured to use SSL, otherwise http
- Restart IIS. In the Connections pane select the server name, then Restart the server from the Actions pane.
Once your configuration is complete, the web.config file in inetpub\wwwroot will contain entries similar to the following:
<rules> <rule name="ReverseProxyInboundRule1" stopProcessing="true"> <match url="(.*)" /> <action type="Rewrite" url="http://localhost:8081/{R:1}" /> <serverVariables> <set name="HTTP_X_FORWARDED_HOST" value=“nexus.mydomain.org” /> <set name="HTTP_X_FORWARDED_PROTO" value="https" /> </serverVariables> </rule> </rules>
With a reverse proxy in front of Nexus Repository, you may also wish to create a Base URL capability which the repository manager will use to construct correct URLs to the user interface within email notifications.
HTTP POST Requests Fail With 404 Status Code
Some interactions with Sonatype products use HTTP POST requests:
- uploads using the Nexus Repository Manager 2.x user interface ( repository Upload tab and Staging Upload )
- Nexus IQ Server Evaluate Binary action
These operations may require a POST request that exceeds the default content limits set by IIS ( approx. 28.6 MB). When this happens, the requests do not pass through to the Sonatype servers and are instead returned from IIS as a error with 404 status code, sub-status code 13, and a message Content Length Too Large.
Consult the official IIS documentation for options to allow for larger POST requests.
HTTP Requests Fail With 502 Gateway Timeout ERROR_WINHTTP_TIMEOUT Status
Some interactions with Sonatype products through IIS may fail with a 502 Gateway Timeout. This means that IIS did not wait long enough for the Sonatype server product response.
For IQ Server scan requests, you need to allow up to approximately 15 minutes for a response. This requires changing the Receive Timeout in ARR from its default low value to 900 seconds plus some overhead room. Configure the ARR timeout to 930 seconds.
For Nexus Repository requests, common reasons for long delays are:
- a repository request is downloading a large file from a remote server
- a group repository request is processing many repository group members looking for a suitable response in merged results
- a saturated network
Usually such delays can be reduced by configuration tweaks inside Nexus, however increasing the IIS ARR ReceiveTimeout may also be required in some circumstances.
Information about diagnosing or making IIS timeout configuration changes can be found at these resources:
- https://technet.microsoft.com/en-us/library/dd443533(WS.10).aspx
- https://technet.microsoft.com/en-us/library/dd443526(WS.10).aspx
- https://blogs.iis.net/richma/502-3-bad-gateway-the-operation-timed-out-with-iis-application-request-routing-arr
- https://docs.microsoft.com/en-us/iis/extensions/troubleshooting-application-request-routing/troubleshooting-502-errors-in-arr
External References About Configuring IIS
Nexus Repository OSS reverse proxy
Inspecting Inbound Request Headers in Nexus Repository Manager
You can inspect the HTTP request headers being sent to Nexus Repository from a reverse proxy. This will help prove that your reverse proxy is sending Nexus the correct header values.
Troubleshooting IIS Reverse Proxy Problems
For troubleshooting IIS reverse proxy, Microsoft recommends enabling Failed Request Tracing which creates an xml file for each request. The IIS forums are also a good resource.