Nexus Sonatype-Repo manager OSS 3.21.2-03 https connector clarification

427 views
Skip to first unread message

Mohan

unread,
Mar 25, 2020, 12:58:34 PM3/25/20
to Nexus Users

Dear Team,

 

Today I have installed - Sonatype Nexus Repository Manager OSS 3.21.2-03 on CentOS-8 VM system. To enable the https connector. I have followed the below link. [Section - How to Enable the HTTPS Connector]

 

https://help.sonatype.com/repomanager3/security/configuring-ssl#ConfiguringSSL-OutboundSSL-TrustingSSLCertificatesGlobally

 

My updated - nexus-default.properties file has the below content.

 

 

Enter code here...## DO NOT EDIT - CUSTOMIZATIONS BELONG IN $data-dir/etc/nexus.properties
##
# Jetty section
application-port=8081
application-host=0.0.0.0

nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml

nexus-context-path=/nexus

# Nexus section
nexus-edition=nexus-pro-edition
nexus-features=\
 nexus-pro-feature

nexus.hazelcast.discovery.isEnabled=true

# For Https Configuration:-
application-port-ssl=8443

Also I have enabled Nginx reverse proxy.

 

Post above configuration With this URL -  https://nexus-server/nexus it was not connecting. Whereas with https://nexus-server:8443/nexus  I could able to access without any problem.

 

Nginx log was showing below error.

 

2020/03/25 21:13:59 [error] 31554#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 107.122.53.181, server: nexus-server, request: "GET /nexus/ HTTP/1.1", upstream: "http://120.121.122.100:8081/nexus/", host: "nexus-server"

 

After some time I tried with - nexus-3.19.1-01-unix.tar.gz version and everything started working fine. Then I have compared with latest version nexus-3.21.2-03-unix.tar.gz and found this - jetty-http-redirect-to-https.xml file was missing in latest version. So I have just copied this file from nexus-3.19.1-01 to latest (3.21.2-03) $data-dir/etc/jetty/ location and updated the nexus-default.properties file with below and it is started working fine even on latest version.

 

nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-http-redirect-to-https.xml

 

So wanted to confirm that is it something wrong with this approach? If yes please correct me on this problem.

Rich Seddon

unread,
Mar 25, 2020, 3:15:49 PM3/25/20
to Nexus Users
The jetty-http-redirect-to-https.xml file is no longer included in 3.21.2 because redirecting from http to https is inherently insecure. When an http to https redirect is used it may be possible for someone using a tool like wireshark to read credentials in requests.

Regards,

Rich
Message has been deleted

Mohan

unread,
Mar 25, 2020, 10:30:45 PM3/25/20
to Nexus Users
 
I have removed the $data-dir/etc/jetty/jetty-http-redirect-to-https.xml file and updated the nexus-default.properties like below as recommended.

nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml

Also i have updated my nginx reverse proxy configuration file like below

From
proxy_pass http://http://120.121.122.100:8081/;

To
proxy_pass https://https://120.121.122.100:8443/;

http requests also redircts to https like below
Now-everything is working as expected. Thanks.
Reply all
Reply to author
Forward
0 new messages