Docker Repository Reverse Proxy Strategies

Docker Repository + Reverse Proxy Intended Use Case

Using a reverse proxy in front of Nexus for Docker repositories is an option to consider for the following use cases:

  • multiple connectors inside of Eclipse Jetty/Nexus would cause performance issues
  • the number of open ports needs to be limited for infrastructure or security reasons
  • managing secure connectors/ports/hosts inside an external reverse proxy aligns with organizational goals and infrastructure
  • isolating private docker images from other parties is a requirement

Implementation Overview

Nexus would be listening at a non-https connector such as the default 8081.

Docker repositories are added into Nexus as normal but would NOT be configured with any connector port values.

In the simple case there would be the following docker repository hierarchy inside Nexus per project team:

  • docker-group-project
    • docker-hosted-project
    • docker-hub

Based on the host name or port of the request to a reverse proxy, the reverse proxy decides where to reverse proxy the request into Nexus.

Docker Push Port Mapping Example

docker login project.example.com:8086
docker push project.example.com:8086

The reverse proxy would direct docker push commands received at

https://project.example.com:8086

to

http://locahost:8081/repository/docker-hosted-project

Docker Push Host Mapping Example

docker login project-push.example.com
docker push project-push.example.com

The reverse proxy would direct docker push commands received at

https://project-push.example.com

to

http://locahost:8081/repository/docker-hosted-project

Docker Pull Port Mapping Example:

docker login project.example.com:8087
docker pull project.example.com:8087

The reverse proxy would direct docker pull commands received at

https://project.example.com:8087

to

http://locahost:8081/repository/docker-group-project

Docker Pull Host Mapping Example:

docker login project.example.com
docker pull project.example.com

The reverse proxy would direct docker pull commands received at

https://project.example.com

to

http://locahost:8081/repository/docker-group-project

Limitations

Nexus does not support using the docker push command against group Docker repositories until something like NEXUS-10471 is implemented. Therefore docker push commands must refer to a URL that is mapped to a hosted docker repository, while docker pull commands should point to a URL that maps to a Docker group repository containing that hosted repository.

A wildcard TLS certificate is needed for the host name mapping scenario, if you intend to have more than one project team specific host name.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk