Skip to main content

Docker repositories in Nexus Repository 3.77.0 respond with 500 Server error when receiving X-Forwarded-Port header

Updated

.

Problem

After upgrading to Nexus Repo 3.77.0, once working docker repositories now respond to docker clients with a 500 Server Error

Diagnosis

Our observation is if Nexus Repo receives a case sensitive header X-Forwarded-Port in that exact letter case, this causes the problem.

A message inside the nexus.log file appears where the port value cannot be converted to the correct type.

GroovyCastException: Cannot cast object with class 'java.lang.String' to class 'int'

2025-02-05 13:25:42,883-0400 WARN [qtp1202998841-931] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Failure servicing: GET /repository/docker-hosted/v2/
org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object '50000' with class 'java.lang.String' to class 'int'
at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.castToNumber(DefaultTypeTransformation.java:172)
at org.codehaus.groovy.runtime.typehandling.DefaultTypeTransformation.intUnbox(DefaultTypeTransformation.java:81)
at org.sonatype.nexus.repository.docker.internal.V2Handlers.getLocation(V2Handlers.groovy:620)
at org.sonatype.nexus.repository.docker.internal.V2Handlers$getLocation$1.callCurrent(Unknown Source)
at org.sonatype.nexus.repository.docker.internal.V2Handlers.tokenAuthzChallenge(V2Handlers.groovy:389)

Examples proving the failure

curl -H 'X-Forwarded-Port:443' http://nexus.example.com:8081/repository/docker-repo1/v2/ -v

Workaround

The workaround is to adjust any reverse proxy configuration to not send inbound an X-Forwarded-Port header and instead use alternative headers which mean the same thing.

In other words, do not send exact case X-Forward-Port header AND instead:

    1. Rely only on Host header that includes domain and port
    2. OR Send a well formed Forwarded header that includes host and port ( https://datatracker.ietf.org/doc/html/rfc7239 )
    3. OR send a non-camel-case or lowercased version of the X-Forwarded-Port header, such as x-forwarded-port

Examples testing the workaround

curl -H 'Forwarded: proto=https;host=docker.example.com:443' http://nexus.example.com:8081/repository/docker-repo/v2/ -v

curl -H 'Host:docker.example.com:443' http://nexus.example.com:8081/repository/docker-repo/v2/ -v

curl -H 'Host:docker.example.com' -H 'x-forwarded-port:443' http://nexus.example.com:8081/repository/docker-repo/v2/ -v

Solution

This bug was recorded internally as a regression NEXUS-45847 and fixed in 3.77.1.

Related articles