Nessus Scans show HSTS not enabled on the port serving Nexus 3.16.1-02
Kenny D'Airo
HSTS is not showing up as enabled in Nessus Scans on the port serving Nexus 3.16.1-02
Hello,
I'm trying to get HSTS enabled on Nexus OSS 3.16.1-02
From what I've read, this is enabled by default in the jetty-https.xml file for the application with the following piece of code...specifically the SecureRequestCustomizer
<Ref refid="httpConfig">
<Set name="secureScheme">https</Set>
<Set name="securePort"><Property name="application-port-ssl" default="443"/></Set>
</Ref>
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
</Call>
</New>
I've created an edited jetty-ssl.xml and added it to the /etc/jetty/ directory and the nexus.properties args for which xml files to call.
After restarting the application and looking at the logs, everything looks good. The application is available, but Nessus scans for the HSTS vulnerability are still coming back positive.
The default https://localhost:443/nexus is currently configured behind an F5 reverse-proxy and HSTS is enabled on the F5, ssl is enabled in the application as well, terminating on port 443.
nexus.properties is calling for the jetty.xml,jetty-https.xml,jetty-ssl.xml,jetty-requestlog.xml when the application starts.
If the contents of any of the jetty files would help or the log files I can make those available as well.
Any additional information on why this might coming up still would be greatly appreciated.
Thank you
Kenny D'Airo
- Here are the contents of the jetty-rewrite.xml
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<!-- Mixin the RewriteHandler -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- configure rewrite handler -->
<!-- =========================================================== -->
<Get id="oldhandler" name="handler"/>
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="handler"><Ref id="oldhandler"/></Set>
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">true</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000; includeSubDomains</Set>
</New>
</Arg>
</Call>
</New>
</Set>
</Configure>
- Now when I run a cURL -I on the URL that Nexus is exposed on I am getting the following headers and Nessus scans are showing NO vulnerabilities.
Date: Mon, 17 Jun 2019 14:03:20 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://localhost/nexus/
Content-Length: 0
Server: Jetty(9.4.14.v20181114)
Peter Lynch
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer">
<!-- 7776000 seconds = 90 days -->
<Set name="stsMaxAge">7776000</Set><Set name="stsIncludeSubDomains">true</Set></New> </Arg> </Call> </New>
--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/ef6c4e8d-86b5-4343-b2cd-08ad46754404%40glists.sonatype.com.
 |
|
Peter Lynch Senior Product Support Engineer |