Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10570

document best practice for url encoding/decoding through reverse proxies

    XMLWordPrintable

    Details

      Description

      When npm clients send requests to the remote server ( ie. the registry URL ) it needlessly encodes slashs as %2f. Sonatype has filed an npm issue about this because it seems improper that npm client url encodes forward slashes: https://github.com/npm/npm/issues/16380

      Other clients ( not npm ) may also send URLs with encoded slashes.

      Unfortunately this encoding of slashes conflicts with the default settings of Apache httpd which by default DOES NOT ALLOW THEM and WILL RETURN a 404 response.

      From https://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes

      With the default value, Off, such URLs are refused with a 404 (Not found) error.

      However, if you are running Apache httpd 2.0.52 to 2.2.8 and you set:

      DO NOT DO THIS in Apache httpd 2.0.52 to 2.2.8
      AllowEncodedSlashes On
      

      Then you will trigger a bug that incorrectly decodes encoded slashes when they should not be:

      https://bz.apache.org/bugzilla/show_bug.cgi?id=35256

      The workaround to allow encoded slashes through Apache httpd involves 2 settings:

      DO THIS: Prevent Apache httpd from decoding %2f URL Encoded slashes
      AllowEncodedSlashes NoDecode
      

      and

      The ProxyPass directive may also need nocanon option. From https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass :

      Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.

      DO THIS: Example use of nocanon option
      ProxyPass / http://localhost:8081/ nocanon
      

       
      Basically Sonatype server products do not rely on Apache httpd to filter out suspect URLs containing path info with encoded values, so it is OK and sometimes required to let these through to the backend servers.

       Additional Reference: http://stackoverflow.com/a/9933890/235000

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title