Securing Nexus Repository Manager

Nexus Repository can be configured by an administratorto contact internal and external IPs for various reasons such as retrieving certificates, creating proxy repositories, dispatching events to remote URLs and so on. You may limit the IPs that can be reached from the host machine running your Nexus Repository instance but note that doing so could block the main use case for some features. For example, webhooks give administrators a way of integrating Nexus Repository with other systems (e.g an auditing system, another Nexus Repository instance, or a lightweight listener potentially on the same host), typically in the same data center. Hence, limiting webhook destinations to, for example, IPs external to your data center effectively blocks the main use case for them.

Running Nexus Repository in a Docker container may reduce the impact of a successful attack. Without containerisation, if a malicious person successfully exploits a service and gains root access, they could do damage to other services running on the host. On the other hand, containerising means a successful attack on that service is restricted to the container running that service. The Nexus Repository 3 docker imagescan be found at: https://hub.docker.com/r/sonatype/nexus3/.