Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.26.0, 3.26.1, 3.27.0
-
3
-
2
Description
NXRM has upgraded Eclipse Jetty from 9.4.18.v20190429 to 9.4.30.v20200611 between NXRM version 3.25.1 to 3.26.0. ( NEXUS-24327 ). The newer version of Jetty has included changes ( attempts to fix reported bugs against Jetty ) to how X-Forwarded headers are being handled.
Some customers are reporting that previously working X-Forwarded-* header combinations now no longer work. The built in protection of valid Host headers NXRM performs may fail inbound requests with a 400 status code response:
For example this request:
curl -u admin:admin123 -H "X-Forwarded-For: 10.180.10.86:8888, 10.183.225.176:9999" -H "X-Forwarded-Port: 10001" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Host: sub.example.com:10002" -H "X-Forwarded-Server: sub.example.com" http://localhost:8081/service/rest/repository/browse/maven-central/abbot/ -I HTTP/1.1 400 Bad Request Date: Wed, 02 Sep 2020 13:21:57 GMT Content-Length: 0 Server: Jetty(9.4.30.v20200611)
Will fail with this in nexus.log:
2020-09-02 09:24:46,310-0300 WARN [qtp2075011885-655] *SYSTEM org.sonatype.nexus.internal.web.HeaderPatternFilter - rejecting request from 10.180.10.86 due to invalid header 'Host: [sub.example.com:10002]:10001'
An upstream bug has been filed:
https://github.com/eclipse/jetty.project/issues/5224
Workaround
If possible, remove the X-Forwarded-Port header from the inbound requests - or the port value from the X-Forwarded-Host value - both of these options seem to allow correct interpretation of implicit server name.
Attachments
Issue Links
- fixed by
-
NEXUS-25774 upgrade Eclipse Jetty to 9.4.33.v20201020
-
- Closed
-
- is related to
-
-
- New
-