How to Redirect HTTP requests to HTTPS?

Repository Manager Does Not Start if Referencing jetty-http-redirect-to-https.xml

On upgrade, it may be noticed that NXRM will not start if the file jetty-http-redirect-to-https.xml is referenced. Logs will contain a message including text such as:

ERROR *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Start failed
java.io.FileNotFoundException: etc/jetty/jetty-http-redirect-to-https.xml (No such file or directory)

Cause

As of Repository Manager 3.20.0, this file has been removed from our distribution.

Solution

Evaluate if you need the unsafe feature exposed by this file.

If not, edit your nexus.args property value defined in your nexus.properties file, and remove the reference to jetty-http-redirect-to-https.xml.

If you still need this feature despite the risk of use, follow the instructions in this article to configure it.

Use Case for Redirecting HTTP Requests to HTTPS

Nexus Repository Manager has historically included example Eclipse Jetty configuration files for redirecting inbound plain HTTP requests to a configured secure HTTPS connector. The file to enable this was included at this path:

NXRM 3: <install-dir>/etc/jetty/jetty-http-redirect-to-https.xml

The aim of this feature was to ease HTTP clients and build tools to transition from using insecure URLs to more secure URLs.

Is it Safe?

No it is not a safe practice because it can imply a false sense of security to the client.

If any plain HTTP connector is exposed to a server, a connection to it will permit the insecure transmit of sensitive information such as usernames and passwords. Essentially there is no way to prevent this transmission on the server side when using a redirect mechanism.

Follow Best Practices Instead: Use HSTS

To encourage security best practices, Nexus Repository Manager 3.20.0 and newer will no longer include a example configuration file that enables direct http to https redirects. Should you still want to use it, instructions how are included below.

As an added security measure for human web browsers, consider using HSTS instead.

How to Redirect All Plain HTTP Requests to HTTPS in NXRM 3.20.0 or Newer (Not Recommended) 

  1. Follow all the steps under How to Enable the HTTPS Connector. Make sure the nexus-args property value also includes the reference to ${jetty.etc}/jetty-http.xml
  2. Edit $data-dir/etc/nexus.properties. Change the nexus-args property comma delimited value to include ${jetty.etc}/jetty-http-redirect-to-https.xml. Save the file.
  3. Download jetty-http-redirect-to-https.xml and save it next to your existing jetty-https.xml file with identical file permissions.
  4. Restart the repository manager. Verify all plain HTTP requests ( except TRACE as intended ) get redirected to the equivalent HTTPS URL.
Have more questions? Submit a request

0 Comments

Article is closed for comments.