APT Proxy HTTP authentication seems not working

Hi all,
We are migrating from Artifactory to Nexus and till so far everything is doing great.
Today, although, I’ve stumbled on an issue I’m struggling to fix.

I need to add an APT proxy repository on Nexus and the remote APT repository requires authentication.
https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html

I have the username and password/token to access the APT repository and they are correctly because I’ve verified them by passing Nexus (or using Artifactory).

On Nexus, I thought that the username and password should go into the “HTTP Authentication” section of a repository setting.
I did but the APT proxy doesn’t work.
I get back an error saying that the request made by Nexus is not authenticated.

How can I fix that?

Thanks,
Gianluca.

Is there a chance you’ve configured your Nexus instances to require authentication from clients and haven’t supplied it to the client?

Failing that, it might be interesting to know whether the remote server requires pre-emptive authentication

I’m new to Nexus so I’m not sure what you are talking about :frowning:

I’ve followed this documentation: Repository Management

The HTTP sections says:
“The HTTP configuration section allows you to configure the necessary details to access the remote repository, even if you have to provide authentication details in order to access it successfully or if you have to connect to it via a proxy server.”

And then I’ve set the authentication using “Username” and filling the username and password.

The APT remote is private and protected by username/password.
The instruction to access to that APT remote is to put the username/password on auth.conf but of course that doesn’t apply on Nexus.

So, how I should configure an APT proxy on which the remote requires APT authentication?

The first question is really - does Nexus have anonymous access enabled, or did you create a user with the appropriate permissions and configured the apt cli to use the user.

The second question is not Nexus specific rather HTTP based. Typically for http, one makes a request and the remote may issue a challenge for authentication; occasionally systems may be configured such that they do not issue a challenge for authentication, this requires something generally referred to as pre-emptive authentication where authentication is included on the initial request.

I don’t believe we support pre-emptive authentication for apt repositories, there is a commonly held belief in security circles that pre-emptive authentication is insecure.

Nexus has anonymous access enabled and also users.
I have many APT proxy repositories set so far that are public and all works well but for the one that needs APT authentication.

The APT remote that requires authentication follows the APT protocol for authenticate.
https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html

So, I was expecting that Nexus was following the same protocol in case of APT proxy but it seems from what you say that is not the case.

Now, what are my alternatives to solve this?

@mpiggott I did some experiment from command line.

The following command returns the correct file:

curl -u username:token https://products.path.com/repository/release/apt/dists/xenial-2ndquadrant/InRelease

So, to be totally frank, for me this prove that Nexus has a bug and it’s not able to pass correctly the HTTP basic authentication when dealing with APT repository (at least).

So, what should I do?
Is there already a ticket for that? If not, how can I open one?

Thanks,
Gianluca.

@mpiggott

Also, I’ve run curl command without passing the username and password and the response from the server contains the header:

Www-Authenticate: Basic realm=""

that according to the documentation I’ve found at WWW-Authenticate - HTTP | MDN
indicates that the server is requesting an authentication and the “Basic” is the challenge.

So, that seems another thing that corroborate the fact Nexus has a bug here.

@mpiggott
Ok, it’s definitely a bug in Nexus and already reported in 2019:

Do you know if there are any development on to fix that in near future?

The best thing to do is file a ticket at https://issues.sonatype.org