Install Nexus Repository OSS on CentOS 7
1. Setting up Nexus Repository
1.1. Install Prerequisites.
yum install -y epel-release unzip vim wget
1.2. Install openJDK.
yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
1.3. Install Nexus.
# Creating necessory folder structure
mkdir -p /data/nexus-data /opt/nexus
# Download latest Nexus artifact
wget -O /tmp/nexus.tar.gz http://download.sonatype.com/nexus/3/latest-unix.tar.gz
# Extract it to /opt/nexus
tar xvfz /tmp/nexus.tar.gz -C /opt/nexus --strip-components 1
# Adding a service account for nexus
sudo useradd --system --no-create-home nexus
# Provide necessory folder permissions
chown -R nexus:nexus /opt/nexus
chown -R nexus:nexus /data/nexus-data
1.4. Configure environment variables.
# Setting up the default JDK
alternatives --config java
# Setting up JAVA_HOME by adding the following line at the bottom of /etc/bashrc
export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
# Setting up NEXUS_HOME by adding the following line at the bottom of /etc/bashrc
export NEXUS_HOME=/opt/nexus
# Get the updated JAVA_HOME and NEXUS_HOME into current shell
source /etc/bashrc
# Check the JAVA version
java -version
1.5. Change Nexus default values in $NEXUS_HOME/bin/nexus.vmoptions as follows.
-Xms1200M
-Xmx1200M
-XX:MaxDirectMemorySize=4G
-XX:+UnlockDiagnosticVMOptions
-XX:+UnsyncloadClass
-XX:+LogVMOutput
-XX:LogFile=/data/nexus-data/nexus3/log/jvm.log
-Djava.net.preferIPv4Stack=true
-Dkaraf.home=.
-Dkaraf.base=.
-Dkaraf.etc=etc/karaf
-Djava.util.logging.config.file=etc/karaf/java.util.logging.properties
-Dkaraf.data=/data/nexus-data/nexus3
-Djava.io.tmpdir=/data/nexus-data/nexus3/tmp
-Dkaraf.startLocalConsole=false
1.6. Configure application-host in $NEXUS_HOME/etc/nexus-default.properties as follows in order to stop listening for remote connections.
# Listen on localhost only
application-host=127.0.0.1
# Fix header is too large errors
jetty.request.header.size=32768
jetty.response.header.size=32768
1.7. Configure nexus service account in $NEXUS_HOME/bin/nexus.rc
run_as_user="nexus"
1.8. Create SystemD service file in /etc/systemd/system/nexus.service
[Unit]
Description=Nexus Server
After=syslog.target network.target
[Service]
Type=forking
LimitNOFILE=65536
ExecStart=/opt/nexus/bin/nexus start
ExecStop=/opt/nexus/bin/nexus stop
User=nexus
Group=nexus
Restart=on-failure
[Install]
WantedBy=multi-user.target
tip
If you are using NFS/AWS EFS share as a nexus blob store, you must add RequiresMountsFor option to the [Unit] section of nexus.service. It helps nexus service to wait till NFS share become available.
[Unit]
Description=Nexus Server
After=syslog.target network.target
RequiresMountsFor=/opt/nexus-data/nexus3/blobs/efs-nexus-data
1.9. Increasing the open file limit of nexus user in /etc/security/limits.conf
nexus - nofile 65536
1.10. Start and Enable Nexus service
sudo systemctl daemon-reload
sudo systemctl start nexus.service
sudo systemctl enable nexus.service
1.11. Check whether the nexus service is running
netstat -tulpn | grep 8081
1.12. Monitoring nexus log files for issues
tail -f /data/nexus-data/nexus3/log/nexus.log
2. Setting up Nginx Reverse Proxy
2.1. Install Nginx.
yum install -y nginx
2.2. Configure SSL.
# Create SSL folder
mkdir /etc/nginx/ssl
# Generate custom DH parameters
openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
# Create a Self-Signed SSL certificate for *.example.local
openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/tls.key -x509 -days 365 -out /etc/nginx/ssl/tls.crt -subj "/C=LK/ST=WP/L=Colombo/O=Example (Private) Limited/CN=*.example.local"
# Restores default SELinux contexts
restorecon -RF /etc/nginx/ssl
2.3. Replace the content of /etc/nginx/nginx.conf with the following.
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Character set
charset utf-8;
# Required to prevent bypassing of DNS cache!!
resolver 127.0.0.1 ipv6=off;
# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;
# Security Headers
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "X-Download-Options" "noopen";
# Buffers
client_header_timeout 300;
client_body_timeout 300;
fastcgi_read_timeout 300;
client_max_body_size 32m;
fastcgi_buffers 8 128k;
fastcgi_buffer_size 128k;
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 1;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/xml
text/plain
text/javascript
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}
2.4. Create /etc/nginx/conf.d/nexus.conf file as follows.
server {
listen 80 default_server;
server_name nexus.example.local;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
server_name nexus.example.local;
client_max_body_size 5G;
# Fixing 414 Request-URI Too Large errors
client_header_buffer_size 128k;
large_client_header_buffers 8 128k;
# optimize downloading files larger than 1G
proxy_max_temp_file_size 2048M;
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
# openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
access_log off;
error_log /var/log/nginx/nexus.error;
location / {
# redirect to docker registry
if ($http_user_agent ~ docker ) {
proxy_pass http://127.0.0.1:5000;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_read_timeout 300;
# Redirect to Nexus
proxy_pass http://127.0.0.1:8081;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_redirect http://127.0.0.1:8081 $scheme://$host;
}
}
2.5. SELinux policy to allow Nginx to connect to the network.
setsebool -P httpd_can_network_connect 1
2.6. Start and Enable Nginx.
systemctl start nginx
systemctl enable nginx
2.7. Open TCP port 80 and 443 through firewall.
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
tip
Nexus Initial Login Information
- URL: https://nexus.example.local
- User: admin
- Password: admin123