Nginx Reverse Proxy for Nexus Docker Registries

README.md

Overview

This is a solution of a common problem with Nexus Docker repositories. The administrator has to expose port for "pull", another port for "push", other ports for each hosted repository. This solution is about leveraging Nginx reverse proxy to avoid using these ports.

How it works ?

Given :

• Nexus hostname is "nexus.example.com"
• Nexus web port is 8081
• A hosted repository is named "docker-hosted"
• A group repository is named "docker-group"
• Your nginx (with the nginx.conf of this gist) will run for example under cregistry.example.com

The following Nginx configuration file is for a reverse proxy without the need to expose connector ports from nexus :

• docker pull cregistry.example.com/myimage lets Nginx forward the request to "docker-group"
• docker push cregistry.example.com/myimage lets Nginx forward the request to "docker-hosted"

Notes

• If you have more than one hosted repository, create another Nginx reverse proxy for it, then aggregate them using a parent Nginx reverse proxy that forwards the request according to certain criteria (.i.e: Host header).

• All Nexus repositories must have consistent configuration of authentication: Either all require authentication, or all don't.

• If TLS is enabled with Nexus, change proxy_set_header X-Forwarded-Proto "http"; by proxy_set_header X-Forwarded-Proto "https";

docker-compose.yaml

version: "3"

services:
  web:
    image: nginx:1.15
    hostname: cregistry.example.com
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    ports:
      - "80:80"
  nexus:
    image: sonatype/nexus3
    hostname: nexus.example.com
    volumes:
      - "nexus-data:/nexus-data"
    ports:
      - "8081:8081"
 
volumes:
  nexus-data: {}

nginx.conf

events {
  worker_connections  1024;
}

http {
  
  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_buffering    off;
  keepalive_timeout  5 5;
  tcp_nodelay        on;
  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;


  server {
      listen   *:80;

      location ~ ^/(v1|v2)/[^/]+/?[^/]+/blobs/ {
          if ($request_method ~* (POST|PUT|DELETE|PATCH|HEAD) ) {
              rewrite ^/(.*)$ /repository/docker-hosted/$1 last;
          }
          rewrite ^/(.*)$ /repository/docker-group/$1 last;
      }

      location ~ ^/(v1|v2)/ {
          if ($request_method ~* (POST|PUT|DELETE|PATCH) ) {
              rewrite ^/(.*)$ /repository/docker-hosted/$1 last;
          }
          rewrite ^/(.*)$ /repository/docker-group/$1 last;
      }

      location / {
          proxy_pass http://nexus.example.com:8081/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto "http";
      }
  }
} 

Nginx Reverse Proxy for Nexus Docker Registries

My latest version.

Supported any count your docker repos, all types of docker repos: hosted, group and proxy.

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
  worker_connections  1024;
}
http {

  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_buffering    off;
  keepalive_timeout  5 5;
  tcp_nodelay        on;
  client_max_body_size 0;
  chunked_transfer_encoding on;
  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=nexus:100m inactive=30d  max_size=2g;

  upstream nexus-node {
    server nexus:8081 max_fails=0;
    keepalive 150;
    keepalive_timeout 60s;
    keepalive_time 1h;
    keepalive_requests 1000;
  }

  server {
    listen  80;

    proxy_http_version 1.1;
    proxy_set_header Connection "";

    location ~ ^/api/(.*) {
      proxy_pass http://nexus-node/$1$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)/blobs/uploads/$ {
      proxy_pass http://nexus-node/repository/$2/$1/$2/$2/$3/blobs/uploads/$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(blobs/sha256.*|manifests/.*)$ {
      proxy_pass http://nexus-node/repository/library/$1/library/library/$2/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location ~ ^/(v1|v2)/$ {
      proxy_pass http://nexus-node/repository/docker-login/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/(_catalog|search)$ {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)$ {
      proxy_pass http://nexus-node/repository/$2/$1/$2/$3$is_args$args;
      error_page 400 404 500 = @fallback;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      400 500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback {
      proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback2 {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location / {
      proxy_pass http://nexus-node/;
    }
  }
}

Search images from CLI work in docker repo docker-group (create required), if add in group repo all your docker hosted repos and grant read privileges for some your role linked to your user, this user can search images from CLI in nexus.

For correct registry API version check and check authorization require docker repository docker-login (create required), recommends type group and contain docker proxy for hub.docker.com.

For all users, which need grant access to docker repositories, require grant role with permission nx-repository-view-docker-docker-login-read.

After successful login, work with internal docker repositories manage by nexus permissions.
For example: if your don't grant permission to docker repo super-secret-docker-hosted-repo, you can authorization, but can't pull or push images from super-secret-docker-hosted-repo docker repo.

docker pull nexus.example.org/super-secret-docker-hosted-repo/image:latest
Permission denied

Nexus API URI changed from /v1/ to /api/v1/.

UPD: Add feature like in hub.docker.com. For pull image from nexus hosted docker repository without set docker repository name.
Create required docker hosted repository library.
Feature in next block:

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(blobs/sha256.*|manifests/.*)$ {
      proxy_pass http://nexus-node/repository/library/$1/library/library/$2/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

Example: docker pull nexus.example.org/image:latest

If image not found fallback search in docker-group.

UPD2: Fix min uses for negative cache.

@raducanuoctavian FYI ^

@AlexGluck Thank you for the full explanation, it really helped me understand what everything does and how nexus as a docker repository works. As I was saying previously, we got it to work, I guess the

location ~ ^/(v1|v2)/(_catalog|search)$ {
      proxy_pass http://nexus-node:8081/repository/docker-group/$1/$2$is_args$args;
  }

part of configuration makes
docker search
command available?
Thank you so much Alex, very helpful.

@raducanuoctavian yep, this for docker search command:

  location ~ ^/(v1|v2)/(_catalog|search)$ {
      proxy_pass http://nexus-node:8081/repository/docker-group/$1/$2$is_args$args;
  }

@raducanuoctavian
UPD: Add feature like in hub.docker.com. For pull image from nexus hosted docker repository without set docker repository name.
Create required docker hosted repository library.
Feature in next block:

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(blobs/sha256.*|manifests/.*)$ {
      proxy_pass http://nexus-node/repository/library/$1/library/library/$2/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_valid      404 10m;
      proxy_cache_use_stale  http_500;
    }

Example: docker pull nexus.example.org/image:latest

If image not found fallback search in docker-group.

I don't like the "main" folder with the same name as the docker repo name (like in the screen below):

This is my version to prevent this "main" folder:

...
...

map $upstream_http_location $upstream_docker_version {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(?<version>v1|v2)/([-_0-9a-z\.]+)/(.*)$" $version;
}
map $upstream_http_location $upstream_docker_repo_name {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}
map $upstream_http_location $upstream_docker_rest_uri {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/([-_0-9a-z\.]+)/(?<rest_uri>.*)$" $rest_uri;
}

map $uri $docker_repo_name_in {
    "~^/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}

map $upstream_docker_repo_name:$docker_repo_name_in $response_header_location {
    "~^(.*):\1$" $upstream_http_location;
    default /$upstream_docker_version/$docker_repo_name_in/$upstream_docker_repo_name/$upstream_docker_rest_uri;
}

upstream nexus-node {
    server localhost:8081 max_fails=0;
    keepalive 150;
    keepalive_timeout 60s;
    keepalive_requests 1000;
}

server {
    listen 80;

    ...
    ...

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)/(blobs/sha256.*|manifests/.*)$ {
        proxy_pass http://nexus-node/repository/$2/$1/$3/$4$is_args$args;
        proxy_hide_header Location;
        add_header Location $response_header_location always;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z]+)/(.*) {
        proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
        proxy_hide_header Location;
        add_header Location $response_header_location always;
    }

    location ~ ^/(v1|v2)/?$ {
        proxy_pass http://nexus-node/repository/docker-login/$1/$2$is_args$args;
    }

    ...
    ...
}

...
...

@Wadzio This awesome, thanks ! 👍

@Wadzio great! would you like to paste complete nginx config?

@pubyun

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
  worker_connections  1024;
}
http {

  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_buffering    off;
  keepalive_timeout  5 5;
  tcp_nodelay        on;
  client_max_body_size 0;
  chunked_transfer_encoding on;
  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=nexus:100m inactive=30d  max_size=2g;

  upstream nexus-node {
    server nexus:8081 max_fails=0;
    keepalive 150;
    keepalive_timeout 60s;
    keepalive_time 1h;
    keepalive_requests 1000;
  }

map $upstream_http_location $upstream_docker_version {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(?<version>v1|v2)/([-_0-9a-z\.]+)/(.*)$" $version;
}
map $upstream_http_location $upstream_docker_repo_name {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}
map $upstream_http_location $upstream_docker_rest_uri {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/([-_0-9a-z\.]+)/(?<rest_uri>.*)$" $rest_uri;
}

map $uri $docker_repo_name_in {
    "~^/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}

map $upstream_docker_repo_name:$docker_repo_name_in $response_header_location {
    "~^(.*):\1$" $upstream_http_location;
    default /$upstream_docker_version/$docker_repo_name_in/$upstream_docker_repo_name/$upstream_docker_rest_uri;
}

  server {
    listen  80;

    proxy_http_version 1.1;
    proxy_set_header Connection "";

    location ~ ^/api/(.*) {
      proxy_pass http://nexus-node/$1$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)/blobs/uploads/$ {
      proxy_pass http://nexus-node/repository/$2/$1/$2/$2/$3/blobs/uploads/$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(blobs/sha256.*|manifests/.*)$ {
      proxy_pass http://nexus-node/repository/library/$1/library/library/$2/$3$is_args$args;
      proxy_hide_header Location;
      add_header Location $response_header_location always;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location ~ ^/(v1|v2)/?$ {
      proxy_pass http://nexus-node/repository/docker-login/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/(_catalog|search)$ {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)$ {
      proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
      proxy_hide_header Location;
      add_header Location $response_header_location always;
      error_page 400 404 500 = @fallback;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      400 500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback {
      proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback2 {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location / {
      proxy_pass http://nexus-node/;
    }
  }
}

@AlexGluck thanks.

docker push docker.example.com/repo1/ubuntu <<<
denied: Deploying to groups is a PRO-licensed feature. See https://links.sonatype.com/product-nexus-repository

@pubyun Please read my comment, you need create required repos.

@AlexGluck, @Wadzio thank you for your work. I released patch for Nexus OSS with authorization via SSO and tokens https://github.com/a-langer/nexus-sso, which includes these fixes for Docker registries.

https://issues.sonatype.org/plugins/servlet/mobile#issue/NEXUS-28247 look like old bug.

@AlexGluck I think I found the reason of the unknown blob

If, You:

• group repo using both hosted and proxy
• proxy contains some layer, Lets say layer:aaaaaaa
• then build your image FROM image:xxxx(contains layer:aaaaaaa)
• push your image

org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: PUT /v2/xxxxxxxx/manifests/xxxxxxxx: 400 - org.sonatype.nexus.repository.docker.internal.V2Exception: Invalid Manifest
org.sonatype.nexus.repository.docker.internal.orient.V2ManifestUtilImpl - Manifest refers to missing layer: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfor: /v2/xxxxxxxx/manifests/xxxxxxxx in repository RepositoryImpl$$EnhancerByGuice$$xxxxxxxxxxxxxx{type=hosted, format=docker, name='docker-hosted'}

Because pushed layers contains layer:aaaaaaa, But when push layers nginx will route HEAD to group, Response tell docker-client layer:aaaa exist but actualy not exist in hosted, Then at last step PUT manifest, There must be some parse steps, Nexus can't find layer:aaaa in hosted repo, Then throw an error.

If remove all proxy repo from group, Push will success.

I think its need some application layer proxy, For example: capture POST ^/(v1|v2)/(.*?)/blobs/uploads/$ then parse it. Use the parsed date to redirect next HEAD ^/(v1|v2)/(.*?)/blobs/uploads/.*?$ to hosted. But it can't be done: docker client will send HEAD request directly, There is no prerequest.

So, I think its a countermeasures for avoid this hack behiver.

@Alceatraz For workaround this unwanted behavior i added this error_page 400 404 500 = @fallback;

@Alceatraz For workaround this unwanted behavior i added this error_page 400 404 500 = @fallback;

Wired, This config not working for me. docker will show raw html content to stdout

@Alceatraz i tested many clients and docker include, may be you do something wrong?

@Alceatraz i tested many clients and docker include, may be you do something wrong?

root@debian:/opt/nexus# cat /etc/nginx/nginx.conf 
user www-data;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
  worker_connections  1024;
}
http {

  proxy_send_timeout 120;
  proxy_read_timeout 300;
  proxy_buffering    off;
  tcp_nodelay        on;
  client_max_body_size 0;
  chunked_transfer_encoding on;
  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=nexus:100m inactive=30d  max_size=2g;

  upstream nexus-node {
    server 127.0.0.1:8081 max_fails=0;
    keepalive 150;
    keepalive_timeout 60s;
    keepalive_requests 1000;
  }

map $upstream_http_location $upstream_docker_version {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(?<version>v1|v2)/([-_0-9a-z\.]+)/(.*)$" $version;
}
map $upstream_http_location $upstream_docker_repo_name {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}
map $upstream_http_location $upstream_docker_rest_uri {
    "~^(http(s)?:/)?(/[-_:0-9a-z\.]+)?/(v1|v2)/([-_0-9a-z\.]+)/(?<rest_uri>.*)$" $rest_uri;
}

map $uri $docker_repo_name_in {
    "~^/(v1|v2)/(?<repo_name>[-_0-9a-z\.]+)/(.*)$" $repo_name;
}

map $upstream_docker_repo_name:$docker_repo_name_in $response_header_location {
    "~^(.*):\1$" $upstream_http_location;
    default /$upstream_docker_version/$docker_repo_name_in/$upstream_docker_repo_name/$upstream_docker_rest_uri;
}

  server {
    listen  80;

    proxy_http_version 1.1;
    proxy_set_header Connection "";

    location ~ ^/api/(.*) {
      proxy_pass http://nexus-node/$1$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)/blobs/uploads/$ {
      proxy_pass http://nexus-node/repository/$2/$1/$2/$2/$3/blobs/uploads/$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(blobs/sha256.*|manifests/.*)$ {
      proxy_pass http://nexus-node/repository/library/$1/library/library/$2/$3$is_args$args;
      proxy_hide_header Location;
      add_header Location $response_header_location always;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location ~ ^/(v1|v2)/?$ {
      proxy_pass http://nexus-node/repository/docker-login/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/(_catalog|search)$ {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location ~ ^/(v1|v2)/([-_0-9a-z\.]+)/(.*)$ {
      proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
      proxy_hide_header Location;
      add_header Location $response_header_location always;
      error_page 400 404 500 = @fallback;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      400 500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback {
      proxy_pass http://nexus-node/repository/$2/$1/$3$is_args$args;
      error_page 404 500 = @fallback2;
      proxy_intercept_errors on;
      recursive_error_pages on;
      proxy_cache            nexus;
      proxy_cache_valid      500 10d;
      proxy_cache_min_uses   3;
      proxy_cache_valid      404 15m;
      proxy_cache_use_stale  http_500;
    }

    location @fallback2 {
      proxy_pass http://nexus-node/repository/docker-group/$1/$2$is_args$args;
    }

    location / {
      proxy_pass http://nexus-node/;
    }
  }
}

root@debian:/opt/nexus# docker pull 127.0.0.1/library/alpine
Using default tag: latest
Error response from daemon: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <title>404 - Nexus Repository Manager</title>\n  <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"/>\n\n\n  <!--[if lt IE 9]>\n  <script>(new Image).src=\"../../../favicon.ico?3.43.0-01\"</script>\n  <![endif]-->\n  <link rel=\"icon\" type=\"image/png\" href=\"../../../favicon-32x32.png?3.43.0-01\" sizes=\"32x32\">\n  <link rel=\"mask-icon\" href=\"../../../safari-pinned-tab.svg?3.43.0-01\" color=\"#5bbad5\">\n  <link rel=\"icon\" type=\"image/png\" href=\"../../../favicon-16x16.png?3.43.0-01\" sizes=\"16x16\">\n  <link rel=\"shortcut icon\" href=\"../../../favicon.ico?3.43.0-01\">\n  <meta name=\"msapplication-TileImage\" content=\"../../../mstile-144x144.png?3.43.0-01\">\n  <meta name=\"msapplication-TileColor\" content=\"#00a300\">\n\n  <link rel=\"stylesheet\" type=\"text/css\" href=\"../../../static/css/nexus-content.css?3.43.0-01\"/>\n</head>\n<body>\n<div class=\"nexus-header\">\n  <a href=\"../../..\">\n    <div class=\"product-logo\">\n      <img src=\"../../../static/rapture/resources/icons/x32/nexus-white.png?3.43.0-01\" alt=\"Product logo\"/>\n    </div>\n    <div class=\"product-id\">\n      <div class=\"product-id__line-1\">\n        <span class=\"product-name\">Nexus Repository Manager</span>\n      </div>\n      <div class=\"product-id__line-2\">\n        <span class=\"product-spec\">OSS 3.43.0-01</span>\n      </div>\n    </div>\n  </a>\n</div>\n\n<div class=\"nexus-body\">\n  <div class=\"content-header\">\n    <img src=\"../../../static/rapture/resources/icons/x32/exclamation.png?3.43.0-01\" alt=\"Exclamation point\" aria-role=\"presentation\"/>\n    <span class=\"title\">Error 404</span>\n    <span class=\"description\">Not Found</span>\n  </div>\n  <div class=\"content-body\">\n    <div class=\"content-section\">\n      Not Found\n    </div>\n  </div>\n</div>\n</body>\n</html>\n\n"

{

	"insecure-registry":[
		"127.0.0.1",
		"127.0.0.1:5000",
		"127.0.0.1:8081"

	]
}

@Alceatraz in your logs i see you don't have container image and screenshot shows nexus docker repo library not created. Everything work correctly.

@AlexGluck I thought "proxy_buffering off" is incompatible with nginx caching as per
https://trac.nginx.org/nginx/ticket/2048
Or am I mistaken? Or this requires a specific nginx version to work?

@phonographLP Perhaps this is a legacy piece, I will try to test the behavior of the cache.

Is this Nginx configuration still valid? I am running Nexus OSS 3.47.1-01 and I have added the groups as required but I always get a 404 when doing docker login.

@simao-silva i don't see repo docker-login.

For correct registry API version check and check authorization require docker repository docker-login (create required), recommends type group and contain docker proxy for hub.docker.com.

After reading this I am still confused. What type of repository should docker-login be ?

@simao-silva type group.

Is this Nginx configuration still valid? I am running Nexus OSS 3.47.1-01 and I have added the groups as required but I always get a 404 when doing docker login.

I'm using debian, Seems like new version docker-client will request another URL, For me I just give up use nginx for that bypass. I just wrote a server proxy for nexus OSS. All source uploaded.

@Alceatraz In my version of the rules docker_location.conf, everything still works, at least on "docker/23.0.3".

@Alceatraz In my version of the rules docker_location.conf, everything still works, at least on "docker/23.0.3".

Have you tested the containerd client? I used this configuration, but cannot fetch images from the proxy repository.

Tell me, how did you test the containerd client? I always thought containerd was part of Docker, at least it works under the hood for me:

~$ systemctl status containerd
● containerd.service - containerd container runtime
     Loaded: loaded (/lib/systemd/system/containerd.service; enabled; vendor prese>
...

However, I tested fetch image through the "ctr" utility, and it works for me:

$ sudo ctr image pull -u "LOGIN:PASSWORD" nexus_host/myrepo/alpine:latest
nexus_host/myrepo/alpine:latest:                                                  resolved       |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:1304f174557314a7ed9ebbd6eab12fed11cb0cd9809e4c27f29af86979a3b870: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:213ec9aee27d8be045c6a82b7eac22c9a64b44558183764a1a7f626352392a49:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:9c6f0724472873bb40a2ae67a9a8adcb57673a193rty8b06eb778cda855171b5:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.0 s                                                                    total:  2.0 Mi (2.0 MiB/s)                                       
unpacking linux/amd64 sha256:1304f174557314a7ed9ebbd6eab12fed11cb0cd9809e4c27f29af86979a3b870...
done: 117.010985ms

First, I would test if this configuration works for you through the Docker client to make sure the access system is set up correctly, and only then through "ctr".

Here's the configuration for my repository:

aiminjie type:hosted,privite repository
docker-root type:hosted,
docker-proxy-docker-ip:proxy for docker.io.

I hope to automatically download docker.io repository images through the group repository, so that I can easily download docker.io images. Similarly, I may add many other public repositories' images. By aggregating them and using my domain name, I can download images from multiple websites. However, when I use the command "crictl pull swr1.aiminjie.com/nginx", an error occurs:

E0510 13:59:48.844167 252623 remote_image.go:242] "PullImage from image service failed" err="rpc error: code = NotFound desc = failed to pull and unpack image "swr1.lan.aiminjie.com/nginx:latest": failed to resolve reference "swr1.lan.aiminjie.com/nginx:latest": swr1.lan.aiminjie.com/nginx:latest: not found" image="swr1.lan.aiminjie.com/nginx" FATA[0000] pulling image: rpc error: code = NotFound desc = failed to pull and unpack image "swr1.lan.aiminjie.com/nginx:latest": failed to resolve reference "swr1.lan.aiminjie.com/nginx:latest": swr1.lan.aiminjie.com/nginx:latest: not found.

Obviously, it did not try to get the image through the proxy. This problem has bothered me for a long time. The aggregation and fetching function of nexus3 is really great, but now I don't know how to use it, which is regrettable!

To get started, use docker and try to pull the image directly from the repository "docker-proxy-docker-io":

docker pull swr1.lan.aiminjie.com/docker-proxy-docker-io/nginx:latest 

Then try to pull from the group repository, note that you need to specify "docker-group" in the image name:

docker pull swr1.lan.aiminjie.com/docker-group/nginx:latest 

If you want to pull images from the Nexus root without specifying a repository name, then you need to use the group repository "docker-root" (add your proxy repository to it) , then you can do the following:

docker pull swr1.lan.aiminjie.com/nginx:latest 

See paragraph "Docker Repository Reverse Proxy" in README.md.