CentOS 7: Install Nexus Repository OSS

1. Setting up Nexus Repository

1.1. Install Prerequisites.

yum install -y epel-release unzip vim wget

1.2. Install openJDK.

yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel

1.3. Install Nexus.

# Creating necessory folder structure
mkdir -p /zone/nexus-data /opt/nexus
# Download latest Nexus artifact
wget -O /tmp/nexus.tar.gz http://download.sonatype.com/nexus/3/latest-unix.tar.gz
# Extract it to /opt/nexus
tar xvfz /tmp/nexus.tar.gz -C /opt/nexus --strip-components 1
# Adding a service account for nexus
sudo adduser nexus -s /sbin/nologin
# Provide necessory folder permissions
chown -R nexus:nexus /opt/nexus
chown -R nexus:nexus /zone/nexus-data

1.4. Configure environment variables.

# Setting up the default JDK
alternatives --config java
# Setting up JAVA_HOME by adding the following line at the bottom of /etc/bashrc
export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
# Setting up NEXUS_HOME by adding the following line at the bottom of /etc/bashrc
export NEXUS_HOME=/opt/nexus
# Get the updated JAVA_HOME and NEXUS_HOME into current shell
source /etc/bashrc
# Check the JAVA version
java -version

1.5. Change Nexus default values in $NEXUS_HOME/bin/nexus.vmoptions as follows.

-Xms1200M
-Xmx1200M
-XX:MaxDirectMemorySize=4G
-XX:+UnlockDiagnosticVMOptions
-XX:+UnsyncloadClass
-XX:+LogVMOutput
-XX:LogFile=/zone/nexus-data/nexus3/log/jvm.log
-Djava.net.preferIPv4Stack=true
-Dkaraf.home=.
-Dkaraf.base=.
-Dkaraf.etc=etc/karaf
-Djava.util.logging.config.file=etc/karaf/java.util.logging.properties
-Dkaraf.data=/zone/nexus-data/nexus3
-Djava.io.tmpdir=/zone/nexus-data/nexus3/tmp
-Dkaraf.startLocalConsole=false

1.6. Configure application-host in $NEXUS_HOME/etc/nexus-default.properties as follows in order to stop listening for remote connections.

application-host=127.0.0.1

1.7. Configure nexus service account in $NEXUS_HOME/bin/nexus.rc

run_as_user="nexus"

1.8. Create SystemD service file in /etc/systemd/system/nexus.service

[Unit]
Description=Nexus Server
After=syslog.target network.target
[Service]
Type=forking
LimitNOFILE=65536
ExecStart=/opt/nexus/bin/nexus start
ExecStop=/opt/nexus/bin/nexus stop
User=nexus
Group=nexus
Restart=on-failure
[Install]
WantedBy=multi-user.target

1.9. Increasing the open file limit of nexus user in /etc/security/limits.conf

nexus - nofile 65536

1.10. Start and Enable Nexus service

sudo systemctl daemon-reload
sudo systemctl start nexus.service
sudo systemctl enable nexus.service

1.11. Check whether the nexus service is running

netstat -tulpn | grep 8081

1.12. Monitoring nexus log files for issues

tail -f /zone/nexus-data/nexus3/log/nexus.log

2. Setting up Nginx Reverse Proxy

2.1. Install Nginx.

yum install -y nginx

2.2. Configure SSL.

# Create SSL folder
mkdir /etc/nginx/ssl
# Generate custom DH parameters
openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
# Create a Self-Signed SSL certificate for *.zone24x7.lk
openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/zone.key -x509 -days 365 -out /etc/nginx/ssl/zone.crt -subj "/C=LK/ST=WP/L=Colombo/O=Zone24x7 (Private) Limited/CN=*.zone24x7.lk"
# Restores default SELinux contexts
restorecon -RF /etc/nginx/ssl

2.3. Replace the content of /etc/nginx/nginx.conf with the following.

# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Character set
charset utf-8;
# Required to prevent bypassing of DNS cache!!
resolver 127.0.0.1 ipv6=off;
# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;
# Security Headers
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "X-Download-Options" "noopen";
# Buffers
client_header_timeout 300;
client_body_timeout 300;
fastcgi_read_timeout 300;
client_max_body_size 32m;
fastcgi_buffers 8 128k;
fastcgi_buffer_size 128k;
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 1;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/xml
text/plain
text/javascript
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}

2.4. Create /etc/nginx/conf.d/nexus.conf file as follows.

server {
listen 80 default_server;
server_name nexus.zone24x7.lk;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
server_name nexus.zone24x7.lk;
client_max_body_size 5G;
# optimize downloading files larger than 1G
proxy_max_temp_file_size 2048M;
ssl_certificate /etc/nginx/ssl/zone.crt;
ssl_certificate_key /etc/nginx/ssl/zone.key;
# openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
access_log off;
error_log /var/log/nginx/nexus.error;
location / {
# redirect to docker registry
if ($http_user_agent ~ docker ) {
proxy_pass http://127.0.0.1:5000;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
# redirect to nexus repository
proxy_pass http://127.0.0.1:8081;
}
}

2.5. SELinux policy to allow Nginx to connect to the network.

setsebool -P httpd_can_network_connect 1

2.6. Start and Enable Nginx.

systemctl start nginx
systemctl enable nginx

2.7. Open TCP port 80 and 443 through firewall.

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

Nexus Initial Login Information

  • URL: https://nexus.zone24x7.lk

  • User: admin

  • Password: admin123

References: