Install Sonatype Nexus 3 on Ubuntu 24.04 with HTTPS

By /

Overview

  • Layout: Binaries in /opt/sonatype/nexus-<ver>, data in /opt/sonatype-work/nexus3.
  • Key switch: Set data dir with -Dkaraf.data (plus absolute log/tmp paths) in bin/nexus.vmoptions.
  • TLS: Let’s Encrypt certificate via Cloudflare DNS-01, served by HAProxy 3.2; Nexus stays on HTTP 127.0.0.1:8081.
  • Base URL: Configure via System → Capabilities → Base URL.
  • Database: This guide uses the default embedded H2 database that ships with Nexus 3. It’s perfect for a single-node instance. For bigger/HA needs, consult Sonatype’s guidance before switching databases.
  • Do not edit: $install/etc/nexus-default.properties; use $DATA/etc/nexus.properties.

Part A — Install Nexus

  1. Become root
sudo su -
  1. Create service user & base folders
adduser --system --home /opt/sonatype --group nexus
mkdir -p /opt/sonatype-work
chown -R nexus:nexus /opt/sonatype /opt/sonatype-work
  1. Download & extract Nexus (example: 3.84.1-01)
cd /opt/sonatype
curl -OL https://cdn.download.sonatype.com/repository/downloads-prod-group/3/nexus-3.84.1-01-linux-x86_64.tar.gz
tar xvz --keep-directory-symlink -f nexus-3.84.1-01-linux-x86_64.tar.gz
ln -sfn /opt/sonatype/nexus-3.84.1-01 /opt/sonatype/nexus
rm -f nexus-3.84.1-01-linux-x86_64.tar.gz

Result:

/opt/sonatype/nexus-3.84.1-01/   # binaries
/opt/sonatype/sonatype-work/     # default data dir from tarball
/opt/sonatype/nexus              # symlink → versioned dir
  1. Move the data dir to /opt/sonatype-work
mv /opt/sonatype/sonatype-work /opt/
chown -R nexus:nexus /opt/sonatype /opt/sonatype-work
  1. Make /opt/sonatype-work/nexus3 authoritative (VM options)
cat >/opt/sonatype/nexus/bin/nexus.vmoptions <<'EOF'
-Xms2703m
-Xmx2703m
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=/opt/sonatype-work/nexus3/log/jvm.log
-XX:-OmitStackTraceInFastThrow
-Dkaraf.home=.
-Dkaraf.base=.
-Djava.util.logging.config.file=etc/spring/java.util.logging.properties
-Dkaraf.data=/opt/sonatype-work/nexus3
-Dkaraf.log=/opt/sonatype-work/nexus3/log
-Djava.io.tmpdir=/opt/sonatype-work/nexus3/tmp
-Djdk.tls.ephemeralDHKeySize=2048
-Dfile.encoding=UTF-8
--add-reads=java.xml=java.logging
--add-opens
java.base/java.security=ALL-UNNAMED
--add-opens
java.base/java.net=ALL-UNNAMED
--add-opens
java.base/java.lang=ALL-UNNAMED
--add-opens
java.base/java.util=ALL-UNNAMED
--add-opens
java.naming/javax.naming.spi=ALL-UNNAMED
--add-opens
java.rmi/sun.rmi.transport.tcp=ALL-UNNAMED
--add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED
--add-exports=java.base/sun.net.www.protocol.https=ALL-UNNAMED
--add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED
--add-exports=jdk.xml.dom/org.w3c.dom.html=ALL-UNNAMED
--add-exports=jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED
--add-exports=java.security.sasl/com.sun.security.sasl=ALL-UNNAMED
--add-exports=java.base/sun.security.x509=ALL-UNNAMED
--add-exports=java.base/sun.security.rsa=ALL-UNNAMED
--add-exports=java.base/sun.security.pkcs=ALL-UNNAMED
EOF

install -d -o nexus -g nexus /opt/sonatype-work/nexus3/{etc,log,tmp}
chown -R nexus:nexus /opt/sonatype-work
  1. Minimal Nexus overrides (in the data dir)
tee /opt/sonatype-work/nexus3/etc/nexus.properties >/dev/null <<'EOF'
application-port=8081
# nexus-context-path=/nexus   # uncomment if you proxy under a path
EOF
chown -R nexus:nexus /opt/sonatype-work/nexus3
  1. Create the systemd service and start
tee /etc/systemd/system/nexus.service >/dev/null <<'EOF'
[Unit]
Description=Sonatype Nexus Repository
After=network.target

[Service]
Type=forking
User=nexus
LimitNOFILE=65536
Environment="NEXUS_DATA=/opt/sonatype-work/nexus3"
# Optional: use a system JDK instead of the bundled one
# Environment="APP_JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64"
ExecStart=/opt/sonatype/nexus/bin/nexus start
ExecStop=/opt/sonatype/nexus/bin/nexus stop
Restart=on-abort
TimeoutSec=600

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now nexus
  1. Verify Nexus
systemctl status nexus --no-pager
ls -l /opt/sonatype-work/nexus3/log
tail -f /opt/sonatype-work/nexus3/log/nexus.log

Open http://<server>:8081/ and sign in with the initial password:

/opt/sonatype-work/nexus3/admin.password

Part B — HTTPS with Cloudflare DNS + HAProxy 3.2

  1. Install Certbot (Cloudflare) & HAProxy 3.2
apt update
apt install -y certbot python3-certbot-dns-cloudflare
add-apt-repository ppa:vbernat/haproxy-3.2 -y
apt-get update
apt-get install -y haproxy=3.2.*
systemctl enable --now haproxy
  1. Create Cloudflare credentials
# leave root if you're still root
exit

# as user 'administrator'
mkdir -p /home/administrator/.secrets/certbot
vi /home/administrator/.secrets/certbot/cloudflare.ini

Paste:

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

Secure it:

chmod 600 /home/administrator/.secrets/certbot/cloudflare.ini
  1. Ensure DNS exists in Cloudflare

Create DNS record nexus.maksonlee.com → A/AAAA → your HAProxy host.
(For issuance, “Proxied” or “DNS only” both work; “DNS only” is simpler while testing.)

  1. Issue the certificate for nexus.maksonlee.com
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/administrator/.secrets/certbot/cloudflare.ini \
  -d nexus.maksonlee.com
  1. Bundle cert for HAProxy
sudo mkdir -p /etc/haproxy/certs/
sudo bash -c 'cat /etc/letsencrypt/live/nexus.maksonlee.com/fullchain.pem \
  /etc/letsencrypt/live/nexus.maksonlee.com/privkey.pem \
  > /etc/haproxy/certs/nexus.maksonlee.com.pem'
sudo chmod 600 /etc/haproxy/certs/nexus.maksonlee.com.pem
  1. HAProxy config (TLS termination → Nexus :8081)

Add following to /etc/haproxy/haproxy.cfg:

# Redirect HTTP → HTTPS
frontend http_in
        bind *:80
        http-request redirect scheme https code 301 unless { ssl_fc }

# Terminate TLS and proxy to Nexus
frontend https_in
        bind *:443 ssl crt /etc/haproxy/certs/nexus.maksonlee.com.pem alpn h2,http/1.1
        default_backend nexus

backend nexus
        option http-buffer-request
        option http-keep-alive
        option forwardfor
        http-request set-header X-Forwarded-Proto https
        # optional if you need it:
        # http-request set-header X-Forwarded-Port 443
        server nexus1 127.0.0.1:8081 check

Validate & reload:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg
sudo systemctl reload haproxy

Browse to https://nexus.maksonlee.com/.

Part C — Make Nexus proxy-aware (Base URL capability)

Set Base URL (UI)

  • Settings → System → Capabilities → Create capability
  • Type: Base URL
  • URL: https://nexus.maksonlee.com/ (trailing / is fine)
  • Create capability → ensure it’s Enabled.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top