Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6539

Forced Base URL value different from the incoming request URL can break UI / RESTLET based resources

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.8.1, 3.0.0-m1
    • Component/s: REST, UI
    • Labels:
      None
    • Sprint:
      Sprint 15

      Description

      Note: this is just one reproduce case commonly seen.

      Given a reverse proxy called "guiness.local"
      Given a Nexus host called "spunge.local"

      1. In nexus.properties set nexus-webapp-context-path=/
      2. Configure Reverse proxy setup to Nexus with https://guiness.local:8743 --> http://spunge.local:8280
      3. Reverse Proxy should NOT set x-forwarded-proto header to "https". Setting x-forwarded-for, x-forwarded-host, x-forwarded-server is fine.
      4. In Nexus set Base URL to https://guiness.local:8743/
      5. In Nexus Force Base URL checkbox is enabled

      Login to UI as Admin and open Repositories list.

      Displaying the repositories list fails to load. Repository status seems to contain the wrong urls and status checking is "retrieving...".

      > curl https://guiness.local:8743/service/local/repository_statuses --insecure
      <repository-status-list>
        <data>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/snapshots</resourceURI>
            <id>snapshots</id>
            <name>Snapshots</name>
            <repoType>hosted</repoType>
            <repoPolicy>SNAPSHOT</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/central</resourceURI>
            <id>central</id>
            <name>Central</name>
            <repoType>proxy</repoType>
            <repoPolicy>RELEASE</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
              <remoteStatus>UNKNOWN</remoteStatus>
              <proxyMode>ALLOW</proxyMode>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/codehaus-snapshots</resourceURI>
            <id>codehaus-snapshots</id>
            <name>Codehaus Snapshots</name>
            <repoType>proxy</repoType>
            <repoPolicy>SNAPSHOT</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
              <remoteStatus>UNKNOWN</remoteStatus>
              <proxyMode>ALLOW</proxyMode>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/public</resourceURI>
            <id>public</id>
            <name>Public Repositories</name>
            <repoType>group</repoType>
            <repoPolicy>MIXED</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/apache-snapshots</resourceURI>
            <id>apache-snapshots</id>
            <name>Apache Snapshots</name>
            <repoType>proxy</repoType>
            <repoPolicy>SNAPSHOT</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
              <remoteStatus>UNKNOWN</remoteStatus>
              <proxyMode>ALLOW</proxyMode>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/central-m1</resourceURI>
            <id>central-m1</id>
            <name>Central M1 shadow</name>
            <repoType>virtual</repoType>
            <repoPolicy>RELEASE</repoPolicy>
            <format>maven1</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/thirdparty</resourceURI>
            <id>thirdparty</id>
            <name>3rd party</name>
            <repoType>hosted</repoType>
            <repoPolicy>RELEASE</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
            </status>
          </repository-status-list-item>
          <repository-status-list-item>
            <resourceURI>https://guiness.local:8743/ervice/local/repository_statuses/releases</resourceURI>
            <id>releases</id>
            <name>Releases</name>
            <repoType>hosted</repoType>
            <repoPolicy>RELEASE</repoPolicy>
            <format>maven2</format>
            <status>
              <localStatus>IN_SERVICE</localStatus>
            </status>
          </repository-status-list-item>
        </data>
      </repository-status-list>
      

      Workaround:

      1. Set the x-forwarded-proto headers to https
      2. Uncheck force base URL
        Note: this workaround only works because it makes the incoming request url match the length of the forced base URL value !).

      In Nexus 2.7.2 this setup works fine without x-forwarded-proto headers set or the length of the forced base url differing from the length of the publicly exposed url.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jdillon Jason Dillon
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title