Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25095

update reverse proxy example configurations to include RFC 7239 Forwarded header

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.26.0
    • Fix Version/s: None
    • Component/s: Transport
    • Labels:

      Description

      RFC 7239 uses the more formalized standard way to inform a web server how it is being reverse proxied using Forwarded HTTP header:

      https://tools.ietf.org/html/rfc7239

      NXRM has historically supported the non-standard X-Forwarded headers to help support integrations with reverse proxy servers.

      NXRM has upgraded Eclipse Jetty from 9.4.18.v20190429 to 9.4.30.v20200611 between NXRM version 3.25.1 to 3.26.0. ( NEXUS-24327 ). The newer version of Jetty has included changes ( attempts to fix reported bugs against Jetty ) to how X-Forwarded headers are being handled.

      Some customers who upgrade NXRM to 3.26.0 or newer have reported problems with unique combinations of X-Forwarded headers where those headers were working in previous NXRM versions. Of note AWS classic load balancers do set X-Forwarded-Port, and when combined with X-Forwarded-For headers, may cause NXRM requests to fail with a 400 response. Sonatype is not documenting AWS load balancer config examples, pointing at NXRM, but customers do report it is possible to make work.

      For example this combination of request headers will cause NXRM 3.26.0 to return 400 error status, where in previous versions it did not.

      Host: nexus:10042
      X-Forwarded-For: 127.0.0.1, 127.0.0.2
      X-Forwarded-Port: 10042
      X-Forwarded-Proto: https
      X-Forwarded-Host: nexus.example.com:10042
      X-Forwarded-Server: nexus.example.com

      The solution is removing the X-Forwarded-Port header for this example, or use a well formatted Forwarded header instead. For example:

      Forwarded: for=127.0.0.1,by=127.0.0.2;proto=https;host=nexus.example.com:10042

      Eclipse Jetty, has transitioned to also supporting the more standard RFC 7239 ( single Forwarded header ) . Use of X-Forwarded-* headers is being discouraged. There is decent summary opinion to that effect from one Jetty developer here:

      https://github.com/eclipse/jetty.project/issues/3782#issuecomment-502188986

      Sonatype does not test all permutations of X-Forwarded headers - we rely on Jetty to test advanced permutations while expecting our documented recommended best practice reverse proxy example configurations to remain accurate. Even the advanced permutations are best effort by Jetty project, since there is no standard.

      Now that support for RFC 7239 is gaining momentum and Eclipse Jetty project is committed to that standard, NXRM customers should be moving to using the now more standard Forwarded header in their reverse proxy configurations.

      Expected

      Expand NXRM reverse proxy example configurations to include mention and examples on RFC 7239 usage.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  tigCommentSecurity.panel-title