Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25158

HeaderPatternFilter may reject implicit Host value due to certain combinations of X-Forwarded headers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.26.0, 3.26.1, 3.27.0
    • Fix Version/s: 3.29.0
    • Component/s: Transport
    • Notability:
      3

      Description

      NXRM has upgraded Eclipse Jetty from 9.4.18.v20190429 to 9.4.30.v20200611 between NXRM version 3.25.1 to 3.26.0. ( NEXUS-24327 ). The newer version of Jetty has included changes ( attempts to fix reported bugs against Jetty ) to how X-Forwarded headers are being handled.

      Some customers are reporting that previously working X-Forwarded-* header combinations now no longer work. The built in protection of valid Host headers NXRM performs may fail inbound requests with a 400 status code response:

      For example this request:

      curl -u admin:admin123 -H "X-Forwarded-For: 10.180.10.86:8888, 10.183.225.176:9999" -H "X-Forwarded-Port: 10001" -H "X-Forwarded-Proto: https" -H "X-Forwarded-Host: sub.example.com:10002" -H "X-Forwarded-Server: sub.example.com" http://localhost:8081/service/rest/repository/browse/maven-central/abbot/ -I
      HTTP/1.1 400 Bad Request
      Date: Wed, 02 Sep 2020 13:21:57 GMT
      Content-Length: 0
      Server: Jetty(9.4.30.v20200611)
      

      Will fail with this in nexus.log:

      2020-09-02 09:24:46,310-0300 WARN  [qtp2075011885-655] *SYSTEM org.sonatype.nexus.internal.web.HeaderPatternFilter - rejecting request from 10.180.10.86 due to invalid header 'Host: [sub.example.com:10002]:10001'
      

      An upstream bug has been filed:

      https://github.com/eclipse/jetty.project/issues/5224

      Workaround

      If possible, remove the X-Forwarded-Port header from the inbound requests - or the port value from the X-Forwarded-Host value - both of these options seem to allow correct interpretation of implicit server name.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Joe Tom Joe Tom
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title