.
Visit my.sonatype.com for documentation on Nexus Repository version 2.
Nexus Repository Does Not Start if Referencing jetty-http-redirect-to-https.xml
On upgrade, it may be noticed that Nexus Repository will not start if the file jetty-http-redirect-to-https.xml
is referenced. Logs will contain an error message:
Nexus Repository 3:
ERROR *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Start failed
java.io.FileNotFoundException: etc/jetty/jetty-http-redirect-to-https.xml (No such file or directory)
Nexus Repository 2:
ERROR [WrapperListener_start_runner] org.sonatype.nexus.bootstrap.jetty.JettyServer - Start failed
java.nio.file.NoSuchFileException: ./conf/jetty-http-redirect-to-https.xml
Cause
As of Nexus Repository 3.20.0, this file has been removed from our distribution.
As of Nexus Repository 2.15.0, this file has been removed from our distribution.
Solution
Evaluate if you need the unsafe feature exposed by this file.
If you still need this feature despite the risk of use, follow the instructions in this article to configure it.
Use Case for Redirecting HTTP Requests to HTTPS
Nexus Repository has historically included example Eclipse Jetty configuration files for redirecting inbound plain HTTP requests to a configured secure HTTPS connector. The file to enable this was included at this path:
Nexus Repository 3: <app-dir>/etc/jetty/jetty-http-redirect-to-https.xml
Nexus Repository 2: <app-dir>/conf/jetty-http-redirect-to-https.xml
The original aim of this feature was to ease to transition from using insecure URLs to secure URLs.
Is it Safe?
No, it is not a safe practice because it can imply a false sense of security to the client.
If any plain HTTP connector is exposed to a server, a connection to it will permit the insecure transmission of sensitive information such as usernames and passwords. Essentially there is no way to prevent this transmission on the server side when using a redirect mechanism.
Follow Best Practices Instead: Use HSTS
To encourage security best practices, Nexus Repository 3.20.0/2.15.0 and newer will no longer include a configuration file that enables direct http to https redirects. Should you still want to use it, instructions on how are included below.
As an added security measure for human web browsers, consider using HSTS instead.
Redirect All Plain HTTP Requests to HTTPS (Not Recommended)
Nexus Repository 3 versions 3.20.0 or newer:
- Follow all the steps under How to Enable the HTTPS Connector. Make sure the nexus-args property value also includes the reference to
${jetty.etc}/jetty-http.xml
- Edit
$data-dir/etc/nexus.properties
. Change the nexus-args property comma delimited value to include${jetty.etc}/jetty-http-redirect-to-https.xml
. Save the file. - Download jetty-http-redirect-to-https.xml and save it next to your existing
jetty-https.xml
file with identical file permissions. - Restart Repository. Verify all plain HTTP requests ending with slash( except TRACE as intended ) get redirected to the equivalent HTTPS URL.
Nexus Repository 2 versions 2.15.0 or newer:
- Follow all the steps under Terminating TLS Connections Directly. Ensure the
/bin/jsw/conf/wrapper.conf
file containswrapper.app.parameter.n
properties referencing both./conf/jetty-http.xml
and./conf/jetty-https.xml
- Edit
/bin/jsw/conf/wrapper.conf
. Add awrapper.app.parameter.n
property referencing./conf/jetty-http-redirect-to-https.xml
. Save the file. - Download jetty-http-redirect-to-https.xml and save it next to your existing
jetty-https.xml
file with identical file permissions. - Restart Nexus Repository. Verify all plain HTTP requests ending with slash ( except TRACE as intended ) get redirected to the equivalent HTTPS URL.
Remove Plain HTTP Redirects to HTTPS
Nexus Repository 3 versions 3.19 and earlier:
If you have previously enabled this feature ( it never was enabled by default), then edit your nexus.args
property defined in your nexus.properties
file, and remove the reference to jetty-http-redirect-to-https.xml
.
Nexus Repository 2 versions 2.14.21 and earlier:
If you have previously enabled this feature ( it never was enabled by default), then edit your wrapper.app.parameter.n
properties defined in your bin/jsw/conf/wrapper.conf
file, and remove the property referencing jetty-http-redirect-to-https.xml
.