Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-7575

User-Agent header not sent for CONNECT to httpS remotes

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.9.2, 2.10
    • Fix Version/s: 2.11, 3.0.0-m3
    • Component/s: Transport
    • Labels:
      None
    • Environment:
      Red Hat Enterprise Linux Server release 6.4 (Santiago)
    • Sprint:
      Sprint 28

      Description

      nexus 2.9.2-01

      We are running behind an HTTP proxy that requires a particular string in the User-Agent header.

      After configuring the "Default HTTP Proxy Settings" and the "User Agent Customization" field in the admin panel, nexus successfully proxies remote repositories with http remote storage locations (e.g. http://nexus.codehaus.org/snapshots/). However, it cannot proxy remote repos with httpS remote storage locations (https://nexus.codehaus.org/snapshots/).

      It appears that when attempting to establish the tunnel with the proxy, the HTTP CONNECT request that nexus issues does not include a User-Agent header. Our proxy rejects the HTTP CONNECT request with a 403 response.

      Can i work around this via configuration?

      Here is a snippet of the nexus logs generated when org.apache.http.wire is set to DEBUG:

      jvm 1 | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "CONNECT nexus.codehaus.org:443 HTTP/1.1[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "Host: nexus.codehaus.org[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "Proxy-Connection: Keep-Alive[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "HTTP/1.1 403 Forbidden[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Cache-Control: no-cache[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Pragma:no-cache[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Content-Type: text/html; charset=utf-8[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Proxy-Connection: close[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Connection: close[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Content-Length: 1128[\r][\n]"
      jvm 1 | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "[\r][\n]"
      ...lots of response body from the proxy about how wrong we were to try that...

      compare that with this request from curl:

      curl -v https://nexus.codehaus.org/snapshots/

      • About to connect() to proxy 10.76.225.15 port 80 (#0)
      • Trying 10.76.225.15... connected
      • Connected to 10.76.225.15 (10.76.225.15) port 80 (#0)
      • Establish HTTP proxy tunnel to nexus.codehaus.org:443
        > CONNECT nexus.codehaus.org:443 HTTP/1.1
        > Host: nexus.codehaus.org:443
        > User-Agent: MY_CUSTOM_USER_AGENT_STRING;
        > Proxy-Connection: Keep-Alive
        >
        < HTTP/1.1 200 Connection established
        <
      • Proxy replied OK to CONNECT request
      • Initializing NSS with certpath: sql:/etc/pki/nssdb
      • CAfile: /etc/pki/tls/certs/ca-bundle.crt
        CApath: none
      • SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      • Server certificate:
      • subject: CN=nexus.codehaus.org,O=OPENXOURCE,L=Camp Hill,ST=Queensland,C=AU
      • start date: Sep 26 00:00:00 2013 GMT
      • expire date: Mar 09 23:59:59 2015 GMT
      • common name: nexus.codehaus.org
      • issuer: CN=Thawte SSL CA,O="Thawte, Inc.",C=US
        > GET /snapshots/ HTTP/1.1
        > User-Agent: DHSI60SP1001;
        > Host: nexus.codehaus.org
        > Accept: /
        >
        < HTTP/1.1 200 OK

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              carlosf Carlos
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title