nexus3配置https支持

生成证书

• 执行脚本生成keystore.jks

NEXUS_DOMAIN、NEXUS_IP_ADDRESS、PASSWD根据实际情况修改

#!/bin/bash  
NEXUS_DOMAIN=nexus.xxx.com
NEXUS_IP_ADDRESS=192.168.11.101
PASSWD=admin123
keytool -genkeypair -keystore keystore.jks -storepass ${PASSWD}  -keypass ${PASSWD} -alias nexus -keyalg RSA -keysize 2048 -validity 5000 -dname "CN=${NEXUS_DOMAIN}, OU=Nexus, O=Nexus, L=Beijing, ST=Beijing, C=CN" -ext "SAN=IP:${NEXUS_IP_ADDRESS}" -ext "BC=ca:true"

• 指定文件，生成keystore.cer文件

passwrod根据实际情况修改

keytool -export -alias nexus -keystore keystore.jks -file keystore.cer -storepass password

修改文件

• 证书拷贝

将证书拷贝至nexus的指定目录: /opt/sonatype/nexus/etc/ssl

docker cp ./keystore.jks nexus3:/opt/sonatype/nexus/etc/ssl/
docker cp ./keystore.cer nexus3:/opt/sonatype/nexus/etc/ssl/

• 修改nexus-default.properties配置文件

# Jetty section
application-port=8081
application-port-ssl=8443
application-host=0.0.0.0
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
nexus-context-path=/${NEXUS_CONTEXT}
​
# Nexus section
nexus-edition=nexus-pro-edition
nexus-features=\
 nexus-pro-feature
nexus.clustered=false
​
nexus.hazelcast.discovery.isEnabled=true

• 修改jetty-https.xml配置文件

指定生成证书指定的密码，文件路径: /opt/sonatype/nexus/etc/jetty/jetty-https.xml修改后如下：

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
​
  <!--
  ==== HTTPS ====
  Set the following inside nexus.properties:
  application-port-ssl: the port to listen for https connections
  -->
​
  <Ref refid="httpConfig">
    <Set name="secureScheme">https</Set>
    <Set name="securePort"><Property name="application-port-ssl" /></Set>
  </Ref>
​
  <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New id="secureRequestCustomizer" class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- 7776000 seconds = 90 days -->
          <Set name="stsMaxAge"><Property name="jetty.https.stsMaxAge" default="7776000"/></Set>
          <Set name="stsIncludeSubDomains"><Property name="jetty.https.stsIncludeSubDomains" default="false"/></Set>
          <Set name="sniHostCheck"><Property name="jetty.https.sniHostCheck" default="false"/></Set>
        </New>
      </Arg>
    </Call>
  </New>
​
  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
    <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
    <Set name="KeyStorePassword">admin123</Set>
    <Set name="KeyManagerPassword">admin123</Set>
    <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
    <Set name="TrustStorePassword">admin123</Set>
    <Set name="EndpointIdentificationAlgorithm"></Set>
    <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
    <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
    <Set name="IncludeProtocols">
      <Array type="java.lang.String">
        <Item>TLSv1.2</Item>
      </Array>
    </Set>
  </New>
​
  <Call  name="addConnector">
    <Arg>
      <New id="httpsConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int"><Property name="jetty.https.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int"><Property name="jetty.https.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item>
              <New class="org.sonatype.nexus.bootstrap.jetty.InstrumentedConnectionFactory">
                <Arg>
                  <New class="org.eclipse.jetty.server.SslConnectionFactory">
                    <Arg name="next">http/1.1</Arg>
                    <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
                  </New>
                </Arg>
              </New>
            </Item>
            <Item>
              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config"><Ref refid="httpsConfig" /></Arg>
              </New>
            </Item>
          </Array>
        </Arg>
​
        <Set name="host"><Property name="application-host" /></Set>
        <Set name="port"><Property name="application-port-ssl" /></Set>
        <Set name="idleTimeout"><Property name="jetty.https.timeout" default="30000"/></Set>
        <Set name="acceptorPriorityDelta"><Property name="jetty.https.acceptorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize"><Property name="jetty.https.acceptQueueSize" default="0"/></Set>
      </New>
    </Arg>
  </Call>
​
</Configure>

重启nexus

docker restart nexus3

• docker-compose

version: '3'
services:
  nexus3:
    image: sonatype/nexus3:3.36.0
    restart: always
    container_name: nexus3
    privileged: true
    hostname: 'nexus3.xxx.com'
    ports:
      - '8081:8081'
      - '8443:8443'
      - '9102:9102'
      - '9101:9101'
      - '9103:9103'
      - '9200:9200'
      - '9201:9201'
    volumes:
    - './nexus-data:/nexus-data'
    - './httpssupport/keystore.jks:/opt/sonatype/nexus/etc/ssl/keystore.jks:ro'
    - './httpssupport/keystore.cer:/opt/sonatype/nexus/etc/ssl/keystore.cer:ro'
    - './httpssupport/nexus-default.properties:/opt/sonatype/nexus/etc/nexus-default.properties:ro'
    - './httpssupport/jetty-https.xml:/opt/sonatype/nexus/etc/jetty/jetty-https.xml:ro'

访问

• http访问(端口8081)
• https访问(端口8443)
• docker端口访问(http，端口9200)
• docker端口访问(https，端口9201)