If you need to serve repository content using SSL, you can always proxy Nexus with a server like Apache httpd. Apache httpd can easily be configured to serve SSL content using mod_ssl, and there is a large amount of reference material available for configuring httpd to serve secure content. Jetty can also be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus, this section shows you how to do that. To configure Nexus to serve SSL directly to clients, you'll need to perform the following steps.
Note
All examples given here can be found in
Nexus Subversion, or in the Nexus distribution under
\$(NEXUS_HOME)/conf/examples. Before you customize
your Nexus configuration to serve SSL, keep in mind the
following:
-
Customizations in this Appendix assume that your are running Nexus 1.9.1.1.
-
Any custom Jetty configuration must be contained in the
\$(NEXUS_HOME)/conf/jetty.xmlfile, or else in the location referenced by thejetty.xmlproperty in\$(NEXUS_HOME)/conf/plexus.properties(in case you've customized this location). -
While the instructions below will work with Nexus Open Source, these instructions assume the filesystem of Nexus Professional. If you are missing Jetty JAR files, you should obtain them from the Jetty project page: http://www.mortbay.org/jetty/.
Follow the instructions on the How to configure SSL on the Jetty Wiki to setup the appropriate keys and certificates in a form that Jetty can use. Pay particular attention to steps 1-3, and the section at the bottom called Password Issues.
The jetty-util jar and the main Jetty jar can be found in
${NEXUS_HOME}/runtime/apps/lib/nexus. The command
line used to import an OpenSSL key+cert in PKCS12 format is:
$ java -classpath jetty-util-6.1.12.jar:jetty-6.1.12.jar \
org.mortbay.jetty.security.PKCS12Import <pkcs12-file> <keystore>
The command line used to generate an obfuscated password hash is:
$ java -classpath jetty-util-6.1.12.jar:jetty-6.1.12.jar \
org.mortbay.jetty.security.Password <your-password>
<your-password>
OBF:1t2x1toq1to41t39
MD5:6f1ed002ab5595859014ebf0951522d9
The OBF line in the previous output will be used in the jetty.xml three times. You'll need to run the previous command three times to generate the obfuscated hashcodes for three passwords:
-
The Key Password
-
The Trust Store Password
-
The Key Store Password
In the next section, the key store and trust store are the same file, with the same password.
Note
A jetty.xml with the modifications in this
section can be found in
${NEXUS_HOME}/conf/examples/jetty-ssl.xml,
inside your Nexus distribution.
Modify the nexus-equivalent jetty.xml to replace this:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.nio.SelectChannelConnector">
<Set name="host">${application-host}</Set>
<Set name="port">${application-port}</Set>
</New>
</Arg>
</Call>
with this:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSelectChannelConnector">
<Set name="host">${application-host}</Set>
<Set name="port">${application-port}</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore">/etc/ssl/keystore</Set>
<Set name="truststore">/etc/ssl/keystore</Set>
<Set name="password">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="keyPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
<Set name="trustPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
</New>
</Arg>
</Call>
The application-port property, referenced in the configuration
above, has a default configuration that many people would more naturally
associate with non-SSL connections. You may wish to modify this port to
something like 8443, or even 443 (if you have root access from which to
start Nexus). To change this property, modify the
\$(basedir)/conf/plexus.properties file.
Note
You may wish to enable both types of connections, with appropriate rewrite rules between them. Such a configuration is beyond the scope of this section; if you're interested, please refer to the Jetty Wiki for some information to get you started. Additionally, you may need to add extra port properties to the plexus.properties configuration file to accommodate both SSL and non-SSL connections.
