Quantcast

HTTP proxy + custom user agent + httpS remote storage location

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTP proxy + custom user agent + httpS remote storage location

carlosf
nexus 2.9.2-01

We are running behind an HTTP proxy that requires a particular string in the User-Agent header.

After configuring the "Default HTTP Proxy Settings" and the "User Agent Customization" field in the admin panel, nexus successfully proxies remote repositories with http remote storage locations (e.g. http://nexus.codehaus.org/snapshots/).  However, it cannot proxy remote repos with httpS remote storage locations (https://nexus.codehaus.org/snapshots/).

It appears that when attempting to establish the tunnel with the proxy, the HTTP CONNECT request that nexus issues does not include a User-Agent header.  Our proxy rejects the HTTP CONNECT request with a 403 response.

Can i work around this via configuration?

Here is a snippet of the nexus logs generated when org.apache.http.wire is set to DEBUG:

jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "CONNECT nexus.codehaus.org:443 HTTP/1.1[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "Host: nexus.codehaus.org[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "Proxy-Connection: Keep-Alive[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 >> "[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "HTTP/1.1 403 Forbidden[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Cache-Control: no-cache[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Pragma:no-cache[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Content-Type: text/html; charset=utf-8[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Proxy-Connection: close[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Connection: close[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "Content-Length: 1128[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin org.apache.http.wire - http-outgoing-27 << "[\r][\n]"
...lots of response body from the proxy about how wrong we were to try that...

compare that with this request from curl:

curl -v https://nexus.codehaus.org/snapshots/
* About to connect() to proxy 10.76.225.15 port 80 (#0)
*   Trying 10.76.225.15... connected
* Connected to 10.76.225.15 (10.76.225.15) port 80 (#0)
* Establish HTTP proxy tunnel to nexus.codehaus.org:443
> CONNECT nexus.codehaus.org:443 HTTP/1.1
> Host: nexus.codehaus.org:443
> User-Agent: MY_CUSTOM_USER_AGENT_STRING;
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=nexus.codehaus.org,O=OPENXOURCE,L=Camp Hill,ST=Queensland,C=AU
*       start date: Sep 26 00:00:00 2013 GMT
*       expire date: Mar 09 23:59:59 2015 GMT
*       common name: nexus.codehaus.org
*       issuer: CN=Thawte SSL CA,O="Thawte, Inc.",C=US
> GET /snapshots/ HTTP/1.1
> User-Agent: DHSI60SP1001;
> Host: nexus.codehaus.org
> Accept: */*
>
< HTTP/1.1 200 OK
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTP proxy + custom user agent + httpS remote storage location

Peter Lynch-2


On Thu, Oct 9, 2014 at 2:06 PM, carlosf <[hidden email]> wrote:
nexus 2.9.2-01

We are running behind an HTTP proxy that requires a particular string in the
User-Agent header.

After configuring the "Default HTTP Proxy Settings" and the "User Agent
Customization" field in the admin panel, nexus successfully proxies remote
repositories with http remote storage locations (e.g.
http://nexus.codehaus.org/snapshots/).  However, it cannot proxy remote
repos with httpS remote storage locations
(https://nexus.codehaus.org/snapshots/).

It appears that when attempting to establish the tunnel with the proxy, the
HTTP CONNECT request that nexus issues does not include a User-Agent header.
Our proxy rejects the HTTP CONNECT request with a 403 response.

Can i work around this via configuration?


I don't think so.

Please file a feature request at https://issues.sonatype.org/browse/NEXUS for this.

I don't think Nexus is violating HTTP spec here, but I see no harm in adding the header for CONNECT.
 
Here is a snippet of the nexus logs generated when org.apache.http.wire is
set to DEBUG:

jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 >> "CONNECT nexus.codehaus.org:443
HTTP/1.1[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 >> "Host:
nexus.codehaus.org[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 >> "Proxy-Connection:
Keep-Alive[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,756-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 >> "[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "HTTP/1.1 403 Forbidden[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Cache-Control: no-cache[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Pragma:no-cache[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Content-Type: text/html;
charset=utf-8[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Proxy-Connection: close[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Connection: close[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "Content-Length: 1128[\r][\n]"
jvm 1    | 2014-10-07 17:55:52,811-0400 DEBUG [ar-4-thread-1] admin
org.apache.http.wire - http-outgoing-27 << "[\r][\n]"
...lots of response body from the proxy about how wrong we were to try
that...

compare that with this request from curl:

curl -v https://nexus.codehaus.org/snapshots/
* About to connect() to proxy 10.76.225.15 port 80 (#0)
*   Trying 10.76.225.15... connected
* Connected to 10.76.225.15 (10.76.225.15) port 80 (#0)
* Establish HTTP proxy tunnel to nexus.codehaus.org:443
> CONNECT nexus.codehaus.org:443 HTTP/1.1
> Host: nexus.codehaus.org:443
> User-Agent: MY_CUSTOM_USER_AGENT_STRING;
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject: CN=nexus.codehaus.org,O=OPENXOURCE,L=Camp
Hill,ST=Queensland,C=AU
*       start date: Sep 26 00:00:00 2013 GMT
*       expire date: Mar 09 23:59:59 2015 GMT
*       common name: nexus.codehaus.org
*       issuer: CN=Thawte SSL CA,O="Thawte, Inc.",C=US
> GET /snapshots/ HTTP/1.1
> User-Agent: DHSI60SP1001;
> Host: nexus.codehaus.org
> Accept: */*
>
< HTTP/1.1 200 OK




--
View this message in context: http://maven.40175.n5.nabble.com/HTTP-proxy-custom-user-agent-httpS-remote-storage-location-tp5808271.html
Sent from the Nexus Maven Repository Manager Users List mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Loading...