i run my Nexus OSS 3.14.0-04 behind a nginx reverse proxy which does authentication with nginx. With help of the nginx server we do an authentication via OpenID Connect as described here which works like a charm. Now we want to access Nexus via Jenkins and/or curl without OpenID Connect Authentication. To do that, i implemented the following code in nginx configuration:
server {
resolver 127.0.0.11;
listen 8443 ssl;
server_name nexus.my.domain;
ssl_certificate /home/appuser/data/certificates/cer.pem;
ssl_certificate_key /home/appuser/data/certificates/key.pem;
access_log /home/appuser/data/nginx/log/access_nexus.log;
error_log /home/appuser/data/nginx/log/error_nexus.log;
error_page 500 502 503 504 /50x.html;
#Allow large uploads of files
client_max_body_size 4G;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 5G;
set $session_secret abcdefghijklmnopqrstuvwxyz;
location / {
set $oidc_redirect_logout_url "false";
access_by_lua_file /home/appuser/data/nginx/conf.d/oidc_nexus.lua;
set $target_server nexus-internal.my.domain;
proxy_pass https://$target_server:8443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Host $server_name;
}
location /repository {
proxy_pass https://nexus-internal.my.domain:8443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
}
}
I disabled anonymous authentication in nexus and created a nexus-internal-user "prj.nxs.myproject". This user has the role "MYPROJECT Administrators". The role is associated with the "repository-view" privileges for each project related repository (The privileges includes the permissions "browse,read,add,delete").
When i connect to Nexus with browser, it is authentication via OIDC. When i browse to a maven repo and try to download something from that (eg. https://nexus.my.domain/repository/MYPROJECT-maven-group/com/myproject/cip/myproject-cip/main/2.0.3/main-2.0.3.pom) within a browser, the browser ask for authentication. I put into the credentials and the download is done successful.
Now i try to repeat that from a commandline with curl. I did the following:
curl -u prj.nxs.myproject:abcd1234 https://nexus.my.domain/repository/MYPROJECT-maven-group/com/myproject/cip/myproject-cip/main/2.0.3/main-2.0.3.pom
With this command i get the following response:
<html>
...
...
<body>
<div class="nexus-body">
...
...
</div>
<div class="content-body">
<div class="content-section">
Repository path must have another '/' after initial '/'
</div>
</div>
</div>
</body>
</html>
When i try to connect to the nexus server directly with the internal name (and avoid using nginx) by
curl -u prj.nxs.myproject:abcd1234 https://nexus-internal.my.domain/repository/MYPROJECT-maven-group/com/myproject/cip/myproject-cip/main/2.0.3/main-2.0.3.pom
i am able to download the file. So it seems that it has something to do with the nginx configuration. I also tried to add end ending '/' to the proxy_pass in the '/repository' location (that is described in the nexus documentation as well as here), but that was also not successful and doesn't change anything.
Has anyone an idea, what can i do to do an basic authentication with curl to download content from nexus?
Regards
Dave
