Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Remove Nexus from public internet

Description

Improve security by not exposing Nexus to the public internet.

Environment

None

Confluence content

mentioned on

Activity

Show:

Tom ZellerJanuary 25, 2023 at 10:59 PM

Our Nexus instance is now available only from the AWS VPC (and Nagios host).


Maven repository URLs of the form
https://build.shibboleth.net/nexus/...
are available at
https://build.shibboleth.net/nexus-proxy/...
to workaround /nexus redirects.

Rod WiddowsonApril 19, 2022 at 1:17 PM

Done the rehoming of the URLs in plugin-mgnt

Rod WiddowsonApril 18, 2022 at 12:39 PM

Note, before we do this work we need to change java-idp-plugin-mgmt\plugin.properties to change URLs of the form

https://build.shibboleth.net/nexus/service/local/repositories/releases/content/net/shibboleth/idp/plugin/authn/idp-plugin-totp-dist/%{version}

to be

https://build.shibboleth.net/maven/releases/net/shibboleth/idp/plugin/metadatagen/idp-plugin-metadatagen-dist/%{version}

Tom ZellerJanuary 20, 2022 at 5:25 PM
Edited

Next step, say Monday, is to actually take Nexus off the public internet.

Deployers should follow instructions on

https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1123450991/Setting+Up+Configuring+and+Using+Maven

Especially :

<!-- GEN-299 Remove Nexus from public internet Requires SSH tunneling, for example : ssh -L 1581:127.0.0.1:1581 -N shibboleth.net --> <properties> <altReleaseDeploymentRepository>release::http://127.0.0.1:1581/nexus/content/repositories/releases</altReleaseDeploymentRepository> <altSnapshotDeploymentRepository>snapshot::http://127.0.0.1:1581/nexus/content/repositories/snapshots</altSnapshotDeploymentRepository> </properties>

Jenkins build agents will use the private IP address.

Tom ZellerJanuary 20, 2022 at 5:23 PM

Details

Assignee

Reporter

Components

Created October 12, 2021 at 8:58 PM
Updated January 25, 2023 at 10:59 PM

Flag notifications