How to configure HSTS in Nexus Repository 3

<TABLE OF CONTENTS>

What is HTTP Strict Transport Security (HSTS)?

HSTS is a standard intended to encourage web browsers to only transmit requests securely using https to a given host name. This feature can prevent accidental transmission of sensitive data to a plain http endpoint at the same host name by web browsers which support it.

Build tools do not typically support HSTS, however they will not break either if the server sends indication that the server supports it.

Enabling HSTS in NXRM 3.20.0 or Newer

When TLS connections are terminated by NXRM directly through Eclipse Jetty configuration, HSTS is already enabled by default.

If you are terminating HTTPS connections to NXRM using a reverse proxy, you must configure your reverse proxy to enable or disable HSTS. Instructions for doing that are beyond the scope of this article. 

How to Disable HSTS in NXRM 3.20.0 or Newer

  1. Edit ${karaf.data}/etc/nexus.properties
  2. Add a line containing
    jetty.https.stsMaxAge=-1
  3. Save the file and restart NXRM.

How To Enable HSTS in NXRM 3.19.1 or Older

  1. Edit ${jetty.etc}/jetty-https.xml.
  2. Change the section that looks like this:
      <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
    <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
    </New>
    To this:
      <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
    <Arg>
    <New id="secureRequestCustomizer" class="org.eclipse.jetty.server.SecureRequestCustomizer">
    <!-- 7776000 seconds = 90 days -->
    <Set name="stsMaxAge"><Property name="jetty.https.stsMaxAge" default="7776000"/></Set>
    <Set name="stsIncludeSubDomains"><Property name="jetty.https.stsIncludeSubDomains" default="false"/></Set>
    <Set name="sniHostCheck"><Property name="jetty.https.sniHostCheck" default="false"/></Set>
    </New>
    </Arg>
    </Call>
    </New>
    For justification of 90 day max age default, see https://letsencrypt.org/2015/11/09/why-90-days.html
  3. Save the file and restart NXRM. 

For justification of 90 day max age default, see https://letsencrypt.org/2015/11/09/why-90-days.html .

For justification of NOT including sub-domains under HSTS by default, we believe it is a lesser risk of indirectly impacting other applications hosted at different sub-domains in the same organization.

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.