HTTP Strict Transport Security (HSTS) For Nexus 2.14.13-01

[Kenny D'Airo]

Trying to enable HSTS for NXRPM OSS 2.14.13-01 and I'm the service won't start after I try modifying the jetty-https.xml 

Log shows...

jvm 1    | 2019-05-30 13:40:11,133-0400 INFO  [WrapperListener_start_runner]  org.sonatype.nexus.bootstrap.jetty.JettyServer - Applying configuration: file:/E:/nexus-2.14.13-01/conf/jetty-https.xml

jvm 1    | 2019-05-30 13:40:11,164-0400 WARN  [WrapperListener_start_runner]  org.eclipse.jetty.xml.XmlConfiguration - Config error at <Ref refid="httpConfig"><Set name="secureScheme">https</Set><Set name="securePort"><Property name="application-port-ssl"/></Set></Ref>

jvm 1    | 2019-05-30 13:40:11,180-0400 ERROR [WrapperListener_start_runner]  org.sonatype.nexus.bootstrap.jetty.JettyServer - Start failed

jvm 1    | java.lang.IllegalStateException: No object for id=null

Can't really find anything on enabling this in this version.

Lots on the newer version having it enabled by default but I'm having some trouble with it.

Any help would be appreciated.

Thank you,

[Mahendra Surani]

Looks like there is some misconfiguration in the file E:/nexus-2.14.13-01/conf/jetty-https.xml

I suggest you revert any changes you made and then follow steps in the link below.

https://help.sonatype.com/repomanager2/secure-socket-layer-ssl/configuring-inbound-https#ConfiguringInboundHTTPS-TerminiatingTLSConnectionsDirectly

Regard,

Mahendra

[Kenny D'Airo]

The only thing in that documentation that was not currently configured in my setup was that the application-port=443 instead of application-port-ssl=443. Already have a custom JKS that the application is pointed to. So I have this setup to reverse proxy url and both inbound and out https are configured. The only enabled protocol is TLS1.2 and still the port shows vulnerable for not having HSTS enabled. I see that HSTS is enabled by default in Nexus OSS 3.x and when I try to add the configuration items from the jetty-https.xml for enabling HSTS on Nexus 3.x into the jetty-https.xml for Nexus 2.14 I end up with that jetty jvm lang error above. I have not been able to find any documentation that explicitly addresses HSTS in this version of the repo manager. Does anyone know if this is even possible to do in version 2.14?

[Rich Seddon]

I don't think it is possible using Jetty in Nexus Repo 2.  It believe it should be possible in Nexus Repo 3 though.

For nxrm 2 you should front the server with a reverse proxy such as nginx or apache if HSTS is a requirement.

[Peter Lynch]

On Fri, May 31, 2019 at 10:56 AM Rich Seddon <rse...@sonatype.com> wrote:

I don't think it is possible using Jetty in Nexus Repo 2.  It believe it should be possible in Nexus Repo 3 though.

Jetty included with recent NXRM 3 versions support configuring this: https://issues.sonatype.org/browse/NEXUS-20268 

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/b658deb2-094a-4292-b900-da396eedab62%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

--

Peter Lynch Senior Product Support Engineer