I have a Docker Compose setup that starts up Nexus, Jenkins and Nginx containers. All calls to Jenkins and Nexus must pass through Nginx. I accomplish this by only port forwarding the Nginx container. The Nexus and Jenkins container ports are merely exposed towards the Docker network.
This is my (simplified) docker-compose.yml:
version: '3.7' services: nexus: build: ./nexus/. expose: - 8081 jenkins: build: ./jenkins/. expose: - 8080 - 50000 // no longer needed if Jenkins does not need HTTPS depends_on: - nexus nginx: image: nginx:1.19.5 ports: - 80:80 // will also need to port forward 443:443 for HTTPS depends_on: - nexus - jenkins My nginx.conf (again simplified):
http { upstream docker-jenkins { server jenkins:8080; } upstream docker-nexus { server nexus:8081; } server { server_name jenkins.homenetwork.dns; location / { proxy_pass http://docker-jenkins; } } server { server_name nexus.homenetwork.dns; location / { proxy_pass http://docker-nexus; } } } I am using this on my home network and will allow BitBucket to trigger jobs from Jenkins (through Nginx!). This means that the port must be externally accessible. Obviously Nginx will need to encrypt the incoming urls with HTTPS. So the expected addresses are https://jenkins.homenetwork.dns and https://nexus.homenetwork.dns with the HTTP versions redirecting to HTTPS.
The question is, do I need to setup Nexus and Jenkins with a SSL certificate? They are included in many tutorials for setting up Jenkins and Nexus, but the network traffic between Jenkins/Nexus and Nginx should only be visible from the machine that's hosting the Docker containers. Do I run a security risk somehow by not encrypting the traffic between the Docker containers?
