IP Allow List
The IP Allow List restricts access to a Nexus Repository instance based on specific IP addresses or CIDR ranges. It adds a network-level control to ensure that only approved locations can access the system.
This feature is available in:
Nexus Repository Pro
Nexus Repository Cloud
Use the IP Allow List to:
Limit access to trusted networks
Reduce exposure to unauthorized requests
Add an additional layer of security beyond authentication and authorization
How IP Filtering Works
The IP Allow List evaluates each incoming request against configured entries. Based on the active filtering mode, the request is either allowed, monitored, or blocked.
Filtering Modes
Disabled (default)
No IP filtering is applied
All requests are allowed
Monitor
Requests are evaluated against the allow list
Requests from non-allowed IPs are allowed
Events are recorded in the audit log
Enforce
Only requests from allowed IPs are permitted
Non-matching requests are blocked with HTTP 403 (Forbidden)
Blocked requests are recorded in the audit log
Note
Start with Monitor mode to validate your configuration before switching to Enforce.
Configure the IP Allow List
Ensure you have administrative access to Nexus Repository.
Identify the IP addresses or CIDR ranges that require access.
Administrator go to the Setting > Security > IP Allow List.
Choose a filtering mode:
Disabled
Monitor
Enforce
Save your changes.
The selected filtering mode is applied. Requests are evaluated according to the configured mode.
Note
Only users with administrator privileges can access and configure the IP Allow List settings in Nexus Repository.
Manage Allow List Entries
You can add, update, or remove entries using the UI or REST API.
Supported entry types
IPv4 address (for example,
192.168.1.10)IPv6 address (for example,
2001:db8::1)CIDR range (for example,
10.0.0.0/8,2001:db8::/32)
Add: Go to Setting > Security > IP Allow List, select add entry, enter IP/CIDR, and save.
Edit: Find the entry, select Edit, update it, and save.
Delete: Find the entry, select Delete, and confirm.
Clear all: Select Clear all and confirm.
Limits: Maximum of 256 entries by default.
Import Entries in Bulk
You can upload multiple entries using a CSV file.
Prerequisites
One IP address or CIDR range per line
Maximum file size: 1 MB
Use the following steps to import entries in bulk.
Click the Import Entry button.
Drag and drop a CSV file or select a file.
Submit the file.
After processing, the system displays:
Successfully added entries
Duplicate entries (skipped automatically)
Invalid entries with error details
Duplicate entries are ignored, allowing repeated uploads without duplication.
Exempt Addresses and Endpoints
To prevent accidental lockouts, certain addresses and endpoints are always allowed.
Always allowed IPs
127.0.0.1(IPv4 localhost)::1(IPv6 localhost)
Always accessible endpoints
/service/rest/v1/status/healthcheck
Audit Log Events
All IP Allow List activity is recorded in the audit log.
Events
Configuration changes (add, edit, remove entries; mode changes)
Request evaluations:
Monitored requests (Monitor mode)
Blocked requests (Enforce mode)
Logged details
Source IP address
Requested path
Timestamp
Active filtering mode
Note
Monitor mode can generate high log volume in high-traffic environments.
REST API
You can manage the IP Allow List using the REST API.
Endpoint
/v1/security/ip-allowlist
Supported operations
List entries (paginated and searchable)
Add or edit entries
Bulk add or delete entries
Upload CSV files
Change filtering mode
Clear all entries
Retrieve current client IP
The REST API is available regardless of the UI version.
Limitations
Applies at the application level only (not per repository)
Supports allow list only, deny lists are not supported.
Not support for:
Time-based rules
User or role-based exceptions
Hostnames or DNS-based filtering
Not available in OSS/Core edition
Classic UI does not include configuration page
In HA deployments:
Up to 15 seconds delay for changes to propagate across nodes
Supports a maximum of 256 entries by default.