How Activate HSTS on nexus repository 3.8

pardopilar · February 27, 2019, 4:29pm

I am trying to activate HSTS but it did work when I modify the f jetty-https.xml file with the content that indicate on:

github.com

sonatype/nexus-public/blob/master/assemblies/nexus-base-template/src/main/resources/overlay/etc/jetty/jetty-https.xml#L19


-->


<Ref refid="httpConfig">
  <Set name="secureScheme">https</Set>
  <Set name="securePort"><Property name="application-port-ssl" /></Set>
</Ref>


<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
  <Arg><Ref refid="httpConfig"/></Arg>
  <Call name="addCustomizer">
    <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
  </Call>
</New>


<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
  <Set name="KeyStorePassword">password</Set>
  <Set name="KeyManagerPassword">password</Set>
  <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
  <Set name="TrustStorePassword">password</Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>

Another file I have tried to modify is the nexus-web.xml and I have got this error:

2019-02-27 11:26:16,767-0500 WARN [jetty-main-1] *SYSTEM org.eclipse.jetty.servlet.BaseHolder -
java.lang.ClassNotFoundException: org.eclipse.jetty.server.HttpHeaderSecurityFilter not found by org.eclipse.jetty.server [20]
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1550)
at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:79)
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1958)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.felix.framework.BundleWiringImpl.getClassByDelegation(BundleWiringImpl.java:1391)
at org.apache.felix.framework.BundleWiringImpl.searchImports(BundleWiringImpl.java:1571)
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1501)
at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:79)
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1958)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:565)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.eclipse.jetty.util.Loader.loadClass(Loader.java:65)
at org.eclipse.jetty.servlet.BaseHolder.doStart(BaseHolder.java:93)
at org.eclipse.jetty.servlet.FilterHolder.doStart(FilterHolder.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:740)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:348)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1515)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1477)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:785)
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:261)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:545)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:107)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at com.codahale.metrics.jetty9.InstrumentedHandler.doStart(InstrumentedHandler.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:115)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.server.Server.start(Server.java:418)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:107)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.Server.doStart(Server.java:385)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274)
2019-02-27 11:26:16,787-0500 WARN [jetty-main-1] *SYSTEM org.eclipse.jetty.servlet.BaseHolder -
java.lang.ClassNotFoundException: org.eclipse.jetty.server.HttpHeaderSecurityFilter not found by org.eclipse.jetty.server [20]
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1550)
at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:79)
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1958)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.felix.framework.BundleWiringImpl.getClassByDelegation(BundleWiringImpl.java:1391)
at org.apache.felix.framework.BundleWiringImpl.searchImports(BundleWiringImpl.java:1571)
at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1501)
at org.apache.felix.framework.BundleWiringImpl.access$200(BundleWiringImpl.java:79)
at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1958)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:565)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.eclipse.jetty.util.Loader.loadClass(Loader.java:65)
at org.eclipse.jetty.servlet.BaseHolder.doStart(BaseHolder.java:93)
at org.eclipse.jetty.servlet.FilterHolder.doStart(FilterHolder.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:777)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:348)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1515)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1477)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:785)
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:261)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:545)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:107)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at com.codahale.metrics.jetty9.InstrumentedHandler.doStart(InstrumentedHandler.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:115)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:133)
at org.eclipse.jetty.server.Server.start(Server.java:418)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:107)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113)
at org.eclipse.jetty.server.Server.doStart(Server.java:385)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274)

rseddon · February 27, 2019, 7:22pm

Wouldn’t it be simpler just to remove the plain HTTP jetty connector? If you do that HSTS is not needed. To remove that connector, set the nexus-args in nexus.properties as:

nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-requestlog.xml,${jetty.etc}/jetty-https.xml

Note that the “jetty-http.xml” file is not present in that line.