vhosts.conf

upstream nexus_admin { server 127.0.0.1:8081 ; }
upstream nexus_registry { server 127.0.0.1:5001 ; }

server {
    listen 80;
    listen 443 ssl http2;
    server_name docker.domain.com;
    access_log  /dev/null;
    error_log   /app/logs/nginx/docker.domain.com.error.log;
    ssl_certificate      server.pem;
    ssl_certificate_key  server.key;
    ssl_session_timeout  20m;
    ssl_protocols  TLSv1  TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AES:EECDH+CHACHA20;
    add_header X-Frame-Options SAMEORIGIN;

    location ~ ^/(v1|v2)/ { proxy_pass http://nexus_registry;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
    location / {
        client_max_body_size 0;
        chunked_transfer_encoding on;
        add_header Docker-Distribution-Api-Version: registry/2.0 always;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        if ($http_user_agent ~*  "docker|jib|curl|Java")   { proxy_pass http://nexus_registry; }
        if ($http_user_agent ~* "Chrome|Mozilla|Firefox")   { proxy_pass http://nexus_admin; }
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   X-Forwarded-Port $server_port;
        proxy_redirect off;
    }
}

docker-compose.yml

version: "2"

services:
  nexus:
    image: dockerhub.azk8s.cn/sonatype/nexus3:3.21.1
    volumes:
      - "/app/srv/docker/nexus3:/nexus-data"
    ports:
      - "8081:8081"
      - "8082:8082"
      - "5001:5001"
    environment:
#    - NEXUS_CONTEXT=nexus
    - JAVA_OPTS=" -Xmx2048m"
    mem_limit: 2g
    mem_swappiness: 0


## chown -Rv 200 /app/srv/docker/nexus3

## admin/admin123

Repository :
Create a new docker hosted Repository , HTTP Port 5001

LDAP ****IPA:
Search Base: cn=accounts,dc=domain,dc=com
BaseDN: cn=users
Ojbect Class: inetorgperson
Group Type: Dynamic Groups

uid=readonly,cn=users,cn=accounts,dc=domain,dc=com

filter: memberof=cn=nexus,cn=groups,dc=accounts,dc=domain,dc=com
RealName displayname or cn

User and Role map:
Role >> Create Role >> External role map >> LDAP

Enable REALM:
Security -> Realms -> enable Docker Bearer Token Realm
note: if not enable this realm, valid user auth 401 when repo "Allow anonymous docker pull"

ALLOW Anonymous access:
SECURITY --> Anonymous -->
[X] Allow anonymous users to access the server
Username: anonymous
Realm: Local Authenticating Realm

Repositories --> repo-name
[X] Allow anonymous docker pull

cmd:
docker pull ubuntu:18.04
docker login nexus.domain.com
docker tag ubuntu:18.04 nexus.domain.com/ubuntu:18.04

https://help.sonatype.com/display/NXRM3/LDAP
https://help.sonatype.com/display/NXRM3/Roles
https://help.sonatype.com/display/NXRM3/Privileges

public repo:
gradle  https://plugins.gradle.org/m2
central https://repo1.maven.org/maven2/
jcenter https://jcenter.bintray.com/
soap-ui http://smartbearsoftware.com/repository/maven2/

qcloud            http://mirrors.cloud.tencent.com/nexus/repository/maven-public/



docker repo:
https://registry-1.docker.io  https://index.docker.io/
https://registry.cn-hangzhou.aliyuncs.com

kubernetes-apt: https://mirrors.ustc.edu.cn/kubernetes/apt/