Type: Publishing Support
Resolution: Out of scope
Environment:Red Hat Enerprise Linux 7.4; Nexus Repository OSS 3.7.1.
Modify publishing permissions?:
(I wanted to post this as a 'bug' but it ended up as a 'task'. Sorry about that. Jira newbie.)
I'm running Nexus Repository Manager OSS 3.7.1-02 on a Red Hat Enterprise Linux 7.4 system. I'm configuring the Repository principally for Docker registries. My machine is in a corporate network under a Websense/Forcepoint web proxy. The proxy can user either NTLM or BASIC authentication.
With a proxy Docker repository configured and the Administration -> System -> HTTP outbound HTTP/HTTPS configuration set with both the 'HTTP proxy' and 'HTTPS proxy' sections filled out with proxy host, proxy port, authentication username and authentication password I'm finding that, on a test docker pull -
- The Nexus repository connects to the web proxy; but
- It does not present the authentication credentials; instead it deciphers the '407 Proxy Authorization Required' response from the web proxy as an error.
This is my docker command and output:
docker pull client:50000/busybox
Using default tag: latest
Error response from daemon: manifest for client:50000/busybox:latest not found
This is the output from the nexus.log:
WARN [qtp950847865-49] admin org.sonatype.nexus.repository.docker.internal.DockerProxyFacetImpl - Could not parse error response Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') at [Source: (ByteArrayInputStream); line: 1, column: 2]
WARN [qtp950847865-49] admin org.sonatype.nexus.repository.docker.internal.V2Handlers - Error: GET /v2/library/busyboxx/manifests/latest: 407 - org.sonatype.nexus.repository.docker.internal.V2Exception: unknown
A tcpdump - attached as file nexus_dump.txt - shows this sequence of packets:
- nexus client sends a 'CONNECT registry-1.docker.io:443' to the web proxy;
- proxy sends an ACK;
- proxy sends a 'HTTP/1.1 407 Proxy Authorization Required' response;
- nexus client sends an ACK;
- nexus client sends a FIN
- the connection is closed tidily.
In other words the nexus repository doesn't try to send the authentication username/password to the web proxy; rather it just 'gives up'.
I'm no network expert, but on the face of it I guess this is reasonable. The '407 Proxy Authorization Required' response from the web proxy has two authentication headers in its response:
... and since the nexus outbound HTTP/HTTPS configuration only has a username and password set for ('BASIC') authentication I would assume Nexus just gives up right there and then. (Although it would be nice if it terminated neatly with an appropriate error rather than apparently try and process the HTML payload of the 407 response.)
To get around this problem and get the nexus proxy repository working I had to (a) remove the configuration of any proxy from the nexus outbound HTTP/HTTPS configuration and then (b) set up Squid to act as a transparent proxy for the entire linux system. This worked; Nexus thinks it has direct connectivity to the internet and docker.io, even though in reality squid is transparently diverting its traffic through the Websense/Forcepoint proxy.
But the question then became - how is it that squid can work with the web proxy when nexus couldn't?
I did a tcpdump of a test connection from the linux system to google.com:443 using the squid proxy - attached as file squid_dump.txt - and the difference is that squid proffers an authentication header for BASIC authentication when it issues the CONNECT to the web proxy:
CONNECT 22.214.171.124:443 HTTP/1.1
Via: 1.1 client (squid/3.5.20)
Proxy-Authorization: Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Even though the Websense/Forcepoint proxy didn't advertise its willingness to accept BASIC authentication in the 407 response to Nexus it nonetheless accepts the BASIC authorisation that squid proffers-in-advance.
While I've got the Nexus Repository OSS working through the transparent squid proxy I'd very much prefer it if I could configure Nexus to use the web proxy directly, as currently the system is wide open to any outgoing network traffic, my web proxy password is in clear text in the squid configuration file, etc.
Would it be possible for Nexus to add the BASIC Proxy-Authorization header to its outgoing HTTP/HTTPS proxy requests? I don't think doing this would have any detrimental affect and it would mean the Nexus repository would work for Websense/Forcepoint proxies. Thanks!