This article offers advice for hosting Nexus in a DMZ that has no direct external network access.
Configure Nexus to use a Proxy Server
Nexus can be configured to use a proxy server for all outbound connections. The proxy server can control access to external networks if direct access is not allowed.
Disabling Internet Bound Nexus Requests
You should disable any features that require external access. Some of these are enabled by default.
- remove or manually block any proxy repositories to remote network URLs
- disable Secure Central
- disable the outreach plugin.
- turn off the latest version check on Administration -> Server -> New Version Availability
- disable automatic submission of analytics ( Nexus 2.8+ ). Analytics submissions connects to https://analytics.sonatype.com.
- disable Repository Health Check
Disabling these features prevents verbose messages in your logs and reduces overhead.
Proxy a Non-DMZ Nexus
Determine if your DMZ Nexus cannot even access another Nexus which is outside the DMZ. If it can, then we suggest all external artifacts be retrieved through this non-DMZ Nexus instance.
- Install another Nexus in a non-DMZ host.
- Create a proxy repository in your non-DMZ Nexus to an internet hosted Maven repository.
- Open your DMZ firewall to allow the http or https port of your non-DMZ Nexus to be accessed by the host of your DMZ Nexus.
- Create a proxy repository in your DMZ Nexus to the non-DMZ repository URL.
- Add your DMZ Nexus proxy repository to the group repo accessed by your DMZ developers.
Pre-caching External Artifacts
If your DMZ Nexus does not have any external network access and you need external artifacts, then you would need a non-DMZ host to pre-cache the required artifacts. Then transfer ( possibly rsync? ) the sonatype-work contents to the DMZ nexus.
If using rsync, there are some tips in How to Set up Nexus Active/Standby Failover.
Transferring Non-DMZ Artifacts to DMZ Nexus Using Procurement
On the nexus instance that is outside the DMZ create a procurement repository against the group repository which is used for your builds. Add a single procurement rule to this repository, an allow rule with GAV coordinates set to "::*". Then run your build(s) through this procurement repository.
Once this is done the procurement repository's local storage directory will contain the initial set of needed artifacts.
After this, stop procurement in the repository created above. This will leave you with a hosted repository that contains the initial set of artifacts needed. The contents of this can be copied into the Nexus instance behind the DMZ.
Then in the nexus instance outside the DMZ create a new procurement repository against the same group repository, and also give this an allow rule for "::*".
Create a new group repository, and for it's members add the hosted repository created in the first step, and the procurement repository you just created. Make sure the hosted repository is above the procurement repository in this group.
Now you're ready to capture deltas. All you need to do is run your build(s) against the new group repository. Anything not currently in the hosted repository will be copied into the new procurement repository's local storage.
Once you've approved these new artifacts, you can copy them into both the hosted repository behind the DMZ, and the hosted repository you created in the first step in the nexus instance in front of the DMZ. After this delete these from the new procurement repository's local storage, and you're ready to repeat the process.
There are a few post-processing steps you'll need to perform on the hosted repositories after you copy artifacts into them, see here for details.