1. 使用 Podman 部署 Nexus 3

podman run --name nexus -d \-p 8081:8081 \-v /data:/nexus-data \-v /etc/localtime:/etc/localtime \-e TZ="Asia/Shanghai" \-e INSTALL4J_ADD_VM_PARAMS="-Xms10240m -Xmx10240m -XX:MaxDirectMemorySize=4096m" \docker.io/sonatype/nexus3

說明：

• Nexus 服務默認監聽端口：8081
• 數據持久化目錄：/data
• Java 啟動參數可根據宿主機內存進行調整

---

2. 編譯安裝 Nginx 1.22（支持 HTTPS）

# 解壓源碼
cd /opt
tar -zvxf nginx-1.22.0.tar.gz
cd nginx-1.22.0# 安裝編譯依賴
yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel# 編譯并安裝
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make && make install

---

3. 配置 Nginx 主配置文件

文件路徑：/usr/local/nginx/conf/nginx.conf

user  nobody;
worker_processes  1;error_log  logs/error.log info;
pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  logs/access.log  main;sendfile        on;tcp_nopush      on;keepalive_timeout  65;gzip  on;# 安全 Headersadd_header X-Content-Type-Options nosniff;add_header X-Frame-Options DENY;add_header X-XSS-Protection "1; mode=block";include conf.d/*.conf;# 限制上傳體積client_max_body_size 5000m;
}

---

4. 創建反向代理配置 /usr/local/nginx/conf/conf.d/mirror.conf

# 定義后端 Nexus 容器
upstream backend {server 127.0.0.1:8081;
}# HTTP 配置（重定向到 HTTPS）
server {listen 80;server_name mirrors.benlai.com mirrors.benlai-io.com;return 301 https://$host$request_uri;
}# HTTPS 配置
server {listen 443 ssl;server_name mirrors.benlai.com mirrors.benlai-io.com;ssl_certificate     /usr/local/nginx/conf/ssl/benlai-io.com.crt;ssl_certificate_key /usr/local/nginx/conf/ssl/benlai-io.com.key;ssl_session_cache   shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers         HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location ^~/repository/ {allow all;proxy_pass http://backend;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location ^~/admin/ {allow 10.93.152.0/21;allow 10.86.160.0/21;allow 10.93.64.131;deny all;proxy_pass http://backend;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location / {proxy_pass http://backend;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}

說明：

• 支持自動將 HTTP 請求重定向到 HTTPS
• /repository/：公開訪問路徑
• /admin/：僅限內網 IP 白名單，其他全部拒絕

---

5. 創建 SSL 證書目錄（示例使用自簽名）

mkdir -p /usr/local/nginx/conf/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \-keyout /usr/local/nginx/conf/ssl/benlai-io.com.key \-out /usr/local/nginx/conf/ssl/benlai-io.com.crt \-subj "/C=CN/ST=Beijing/L=Beijing/O=Benlai/OU=IT/CN=mirrors.benlai-io.com"

如果使用正式證書，替換上述 .crt 和 .key 即可。

---

6. 啟動 Nginx 并測試配置

cd /usr/local/nginx/sbin
./nginx -t     # 測試配置語法
./nginx        # 啟動服務

如需重啟或重新加載配置：

./nginx -s reload

---

7. 可選：配置 systemd 啟動項

建議將 Podman Nexus 容器與 Nginx 一并加入開機啟動。

創建 /etc/systemd/system/nginx.service：

[Unit]
Description=The Nginx HTTP and reverse proxy server
After=network.target[Service]
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PIDFile=/usr/local/nginx/logs/nginx.pid
Restart=on-failure[Install]
WantedBy=multi-user.target

啟用服務：

systemctl daemon-reexec
systemctl enable nginx
systemctl start nginx

---

8. 測試訪問

# 測試重定向
curl -I http://mirrors.benlai.com/repository/# 測試代理訪問
curl -k https://mirrors.benlai.com/repository/# 測試限制訪問路徑
curl -k https://mirrors.benlai.com/admin/ -H "X-Real-IP: 1.2.3.4"