Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-13129

proxy repositories with Amazon S3 remotes can be automatically blocked if the Server header value is overridden

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.14.4, 3.3.1
    • Fix Version/s: None
    • Component/s: Proxy Repository
    • Story Points:
      2

      Description

      Create a Maven 2 proxy repository to a remote URL of https://artifacts.elastic.co/maven with automatic blocking enabled = True.

      The remote is an Amazon S3 storage fronted by an nginx instance. The Server response header is:

      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << Server: nginx/1.4.6 (Ubuntu)
      

      But some response headers are also returned that indicate that in truth, that the remote comes from Amazon S3 web services:

      jvm 1    | 2017-05-11 09:38:33,803-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 >> HEAD /maven/ HTTP/1.1
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << HTTP/1.1 404 Not Found
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << Content-Type: application/xml
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << Date: Thu, 11 May 2017 12:38:34 GMT
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << Server: nginx/1.4.6 (Ubuntu)
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << x-amz-id-2: /GJZNszXP80hLOtU+a1vfCdlJwmw4klgdrGQSvIUi+tShyQDtInxzV0zsvFLykCVFFemSf7XnIc=
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << x-amz-request-id: 3987E3553F913827
      jvm 1    | 2017-05-11 09:38:33,893-0300 DEBUG [proxy-3-thread-3] admin org.apache.http.headers - http-outgoing-16 << Connection: keep-alive
      

      As per NEXUS-3338, Nexus 2.x tries to detect the remote is an S3 server by looking at the Server header value - if it contains the string amazons3, then even if the auto-blocking remote checks return 404, the remote is not auto-blocked.

      Since the remote is fronted by an nginx server which replaces the Server header values, then Nexus S3 detection fails and the remote is permanently Automatically Blocked from servicing any outbound requests.

      Workaround:

      To have a proxy repository to such a remote, one needs to edit the configuration of the proxy repository and turn the "Auto Blocking Enabled" feature to "False".

      Expected

      Nexus should also look at other response headers to detect if the remote is S3 based, for example x-amz-request-id would be a good one as this would be unlikely stripped out by a reverse proxy server such as nginx.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title