When Nexus Repo is deployed in AKS with Azure's Application Gateway and an unmanaged ingress (NGINX):
Application Gateway ---> ingress ---> Nexus Repo
Functionality that relies on x-forwarded headers such as SAML SSO can break as the ingress can set the x-forwarded headers based on its own values rather than using the Gateway's values. For example the gateway has a URL of https://public.nexus.local and the ingress has a URL of https://internal.nexus.local. Clients use the gateway URL but the ingress ends up setting the headers to its own host and protocol.
As documented in https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request the Gateway by default sets six headers including x-forwarded ones:
Application gateway inserts six additional headers to all requests before it forwards the requests to the backend. These headers are x-forwarded-for, x-forwarded-port, x-forwarded-proto, x-original-host, x-original-url, and x-appgw-trace-id. The format for x-forwarded-for header is a comma-separated list of IP:port.
To ensure these headers are preserved and sent to the Nexus Repo backend, set the use-forwarded-headers option to true within the ingress config.