Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28876

Proxy repository returns 503 when remote returns 401

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.34.0
    • Fix Version/s: None
    • Component/s: Proxy Repository
    • Labels:
    • Notability:
      3

      Description

      When the remote of a proxy repository returns an HTTP 401 response Nexus will return an HTTP 503 response through the proxy repository.

      This error response will break a build. Historically, we have always returned 404 for this case, while (of course) logging clearly why the 404 was returned.  

      Note that Artifactory repositories have a setting that can be enabled which causes them return 401 rather than 404 for items that don't exist on the remote.  This is security through obscurity, so it is debatable whether this is a good idea.  But the fact remains there are public Artifactory instances with this setting enabled, such as this one:

      https://packages.atlassian.com/repository/public/

      Note this also applies to Dockerhub

       

      Expected: We should not break a build unnecessarily by returning an error response when not necessary.  In general we can't know if the 401 response from the remote of a proxy is expected or not, so we should be be conservative and not return an error response. We should return a 404

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Michael Oliverio Michael Oliverio
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title