Hi all,
We are migrating from Artifactory to Nexus and till so far everything is doing great.
Today, although, I’ve stumbled on an issue I’m struggling to fix.
I have the username and password/token to access the APT repository and they are correctly because I’ve verified them by passing Nexus (or using Artifactory).
On Nexus, I thought that the username and password should go into the “HTTP Authentication” section of a repository setting.
I did but the APT proxy doesn’t work.
I get back an error saying that the request made by Nexus is not authenticated.
The HTTP sections says:
“The HTTP configuration section allows you to configure the necessary details to access the remote repository, even if you have to provide authentication details in order to access it successfully or if you have to connect to it via a proxy server.”
And then I’ve set the authentication using “Username” and filling the username and password.
The APT remote is private and protected by username/password.
The instruction to access to that APT remote is to put the username/password on auth.conf but of course that doesn’t apply on Nexus.
So, how I should configure an APT proxy on which the remote requires APT authentication?
The first question is really - does Nexus have anonymous access enabled, or did you create a user with the appropriate permissions and configured the apt cli to use the user.
The second question is not Nexus specific rather HTTP based. Typically for http, one makes a request and the remote may issue a challenge for authentication; occasionally systems may be configured such that they do not issue a challenge for authentication, this requires something generally referred to as pre-emptive authentication where authentication is included on the initial request.
I don’t believe we support pre-emptive authentication for apt repositories, there is a commonly held belief in security circles that pre-emptive authentication is insecure.
Nexus has anonymous access enabled and also users.
I have many APT proxy repositories set so far that are public and all works well but for the one that needs APT authentication.
So, to be totally frank, for me this prove that Nexus has a bug and it’s not able to pass correctly the HTTP basic authentication when dealing with APT repository (at least).
So, what should I do?
Is there already a ticket for that? If not, how can I open one?
Also, I’ve run curl command without passing the username and password and the response from the server contains the header:
Www-Authenticate: Basic realm=""
that according to the documentation I’ve found at WWW-Authenticate - HTTP | MDN
indicates that the server is requesting an authentication and the “Basic” is the challenge.
So, that seems another thing that corroborate the fact Nexus has a bug here.
Because I felt Nexus’s developer was not going to recognize this as bug, then I’ve asked to our internal infrastructure team. They edited the NGINX configuration to act as a proxy to the APT repository that required authentication and they injected the authentication via NGINX by-passing completely Nexus. Then, to Nexus I’ve add an APT repository with the local URL served by the NGINX proxy configuration.
So:
Nexus → Local URL → Local NGINX → NGINX injecting HTTP Basic Authentication → External URL