Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-12022

Provide options for proxy repository outbound requests to use preemptive authentication

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Refine
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: Repository, Transport
    • Labels:
      None
    • Notability:
      4

      Description

      Preemptive auth in general is bad (this is why clients like Maven does not do them by default).

      Still, there are valid user cases when it would be perfectly acceptable to have proxy repository outbound requests which are known to require authentication to use pre-emptive auth.

      • the remote is a known internal endpoint that is implicitly trusted
      • the remote is known to ALWAYS require auth, instead of for just some URLs
      • the connection is over a https connection
      • bandwidth needs to be conserved, this type of auth only sends one request with credentials instead of sending two,
      • Load (network, disk, CPU) can be reduced
      • outbound request logging is reduced ( 1 instead of 2)
      • latency to resolve the incoming request is reduced

      Implementation Suggestions

      • Suggestion that the implementation only allow sending pre-emptively if the remote url is https to help avoid leaking credentials in the clear.
      • suggestion that this feature could allow whitelisting remote IP addresses, to help assure that if the remote starts responding with 302 redirects to someplace not expected, then pre-emptive auth could make sure this is not a different host
      • suggestion to simply not do pre-emptive auth for ANY type of 3xx http redirect
      • suggestion to optionally bulk whitelist internal IP subnet by default

      This story is to flesh out the value add of this type of authentication for proxy repositories and then decide how to expose the feature to Nexus Administrators in Nexus 3.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Mahendra Surani
              Votes:
              9 Vote for this issue
              Watchers:
              20 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title