How to force HSTS in Nexus 3 - jetty-9

HSTS is not showing up as enabled in Nessus Scans on the port serving Nexus 3.16.1-02
Hello,
First time posting -
I'm trying to get HSTS enabled on Nexus OSS 3.16.1-02
From what I've read, this is enabled by default in the jetty-https.xml file for the application.
I've created an edited jetty-ssl.xml and added it to the /etc/jetty/ directory and the nexus.properties args for which xml files to call.
After rebooting the application and looking at the logs, everything looks good. The application is available, but Nessus scans for the HSTS vulnerability are still coming back positive.
The default https://localhost:443/nexus is currently configured behind an F5 reverse-proxy and HSTS is enabled on the F5, ssl is enabled in the application as well, terminating on port 443.
nexus.properties is calling for the jetty.xml,jetty-https.xml,jetty-ssl.xml,jetty-requestlog.xml when the application starts.
Any additional information on why this might coming up still would be greatly appreciated.
Thank you,
MCarrica
This is the nexus.properties
application-port-ssl=443
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-ssl.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
nexus-context-path=/nexus
This is from the jetty-https.xml for the HSTS enabled
Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
Nessus scans are still showing HSTS is not enabled on port 443 on the server that is serving the application

Here are the contents of the rewrite.xml
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- configure rewrite handler -->
<!-- =========================================================== -->
<Get id="oldhandler" name="handler"/>
<Set name="handler">
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="handler"><Ref id="oldhandler"/></Set>
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">true</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000; includeSubDomains</Set>
</New>
</Arg>
</Call>
</New>
</Set>
</Configure>

Related

Can we run initial sql in oracle jdbc connection on jetty?

I have a local jetty java project. I would like to run some sql when the server creates any connections. The connections are configured in a jetty-env.xml file. Im hoping there is some oracle jdbc property like "run-sql-on-connect" where I can trigger the sql. Essentially I want to alter the session whenever a connection is established. Is there anything in OracleDataSource.connectionProperties like this?
<New id="OracleDS_local" class="org.mortbay.jetty.plus.naming.Resource">
<Arg>jdbc/local</Arg>
<Arg>
<New class="oracle.jdbc.pool.OracleDataSource">
<Set name="URL">jdbc:oracle:thin:*******</Set>
<Set name="user">*****</Set>
<Set name="password">****</Set>
<Set name="connectionProperties ">
<Set name="run-sql-on-connect" >alter session sql here</Set>
</Set>
</New>
</Arg>
</New>
A possible workaround/solution (depending on the requirements) would be to use a custom context handler and a related event to perform a separate connection and execute the query you want.
I know it's not an optimal solution but it might do the trick.
Reference:
https://www.eclipse.org/jetty/javadoc/jetty-11/org/eclipse/jetty/webapp/WebAppContext.html
<Configure id='oracledbdemo' class="org.eclipse.jetty.webapp.WebAppContext">
<New id="OracleDS_local" class="org.mortbay.jetty.plus.naming.Resource">
...
</Configure>
REPLACE WITH
<Configure id='oracledbdemo' class="<YOUR_CUSTOM_WebAppContext_HERE">
</Configure>

Configuring thread name prefix in Jetty transport

It would be great if someone was able to help me with the following.
We currently use Jetty to expose our REST interface (Which is setup with Spring) and I want to be able to set the prefix of the threads that are used to process these calls. I believe I have found the change to cxf that will enable this behaviour:
https://issues.apache.org/jira/browse/CXF-5919
It seems to change the initial "qtp" value to whatever you want. (The version we have does include these changes) The problem is that I cannot actually work out how to set it, initially I tried the following:
<Configure id="server" class="org.eclipse.jetty.server.Server">
<Set name="threadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">1000</Set>
<Set name="threadNamePrefix">myname</Set>
</New>
</Set>
</Configure>
http://wiki.eclipse.org/Jetty/Reference/jetty.xml_syntax#Creating_a_NewObject_and_Setting_It_on_the_Server
But that does not work as it's not the QueuedThreadPool that has the threadNamePrefix value.
I would be great if someone was able to give me some pointers as to how I can update my jetty.xml so that I can set this value.
Thank you
Rob
Looking at Jetty source code I see that name attribute is the one you are after. Your example should look like this:
<Configure id="server" class="org.eclipse.jetty.server.Server">
<Set name="threadPool">
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">10</Set>
<Set name="maxThreads">1000</Set>
<Set name="name">myname</Set>
</New>
</Set>
</Configure>
This is the result (from VisualVM) on my setup:

Jetty 9 XML Connector Configuration error

I am attempting to run jetty 9.3.8. I had to change over my Jetty 8 configuration, which was working, but I am now receiving a Config error which prints out the whole XML connector configuration line.
Here is what Jetty doesn't like - jetty.xml
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelecChannelConnector">
<Set name="host">
<Property name="jetty.host" default="localhost"/>
</Set>
<Set name="port">
<Property name="jetty.port" default="7080"/>
</Set>
<Set name="maxIdleTime">60000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="confidentialPort">7443</Set>
</New>
</Arg>
</Call>
Any ideas are great.
You have a typo in SelecChannelConnector => SelectChannelConnector.
Anyway, for Jetty 9 you should prefer the use of org.eclipse.jetty.server.ServerConnector as quoted in Jetty's own documentation:
Prior to Jetty 9, the type of the connector specified both the protocol and the implementation used; for example, selector-based non blocking I/O vs blocking I/O, or SSL connector vs non-SSL connector. Jetty 9 has a single selector-based non-blocking I/O connector, and a collection of ConnectionFactories now configure the protocol on the connector.
Configuring Jetty Connectors

Rewrite rules for Run Jetty Run

I am trying to add a rewrite rule to my run jetty run Eclipse plugin. I am using Jetty v 8.1.2 and supply a 'jetty-rewrite.xml' in the 'Additional Jetty.xml' Eclipse run configuration option. What I would like to achieve is rewriting the following URL
/hello/world?id=1
to
/
The rewrite works in so far as my local URL is updated correctly. However, regardless of what URL I enter (regardless if it matches the rewrite pattern or not), I get a 404 File not Found error from jetty. Note that '/' is mapped to 'index.html' in my web.xml. I can enter any URL (even the full path to index.html) and I get the same 404 error.
<?xml version="1.0" ?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- create and configure the rewrite handler -->
<New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">false</Set>
<Set name="originalPathAttribute">requestedPath</Set>
<!-- redirect the response. This is a redirect which is visible to the browser.
After the redirect, the browser address bar will show /redirected -->
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.RedirectPatternRule">
<Set name="pattern">/hello/world/*</Set>
<Set name="location">/</Set>
</New>
</Arg>
</Call>
</New>
<!-- add the rewrite handler to the server -->
<Set name="handler">
<Ref id="Rewrite" />
</Set>
</Configure>
I don't use any other jetty configuration files, except the default ones that are loaded by the run jetty run plugin. Thanks for any pointers.
Turns out the problem was that I hadn't realized that <Set name="handler"> essentially 'overwrites' my default handlers. So, to fix it, I changed the last few lines to
<!-- add the rewrite handler to the server -->
<Set name="handler">
<New class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<Ref id="Rewrite" />
</Item>
<Item>
<Ref id="oldhandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
where oldhandler refers to a previously declared <Get id="oldhandler" name="handler"/>
I use jetty9, and I edit two files:
1) start.ini
add one line: "--module=rewrite"
2) etc/jetty-rewrite.xml
add:
/yyy/(.*)
/$1

It is possible to use Elasticsearch remotely?

I've a web app that needs to use ElasticSearch but my host does not permit to use Java apps.
It is possible to put the ElasticSearch server on other machine(Remote) so that the webapp makes the queries to a remote server? If yes, ElasticSearch have some way to secure the data in the ElasticSearch server? How can I protect other users to make queries to this remote ElasticSearch server?
Best Regards,
Yes. If you don't have the option to move your application to another server that permits Java, you can access the remote server using JSON calls or a client if available for your platform (http://www.elasticsearch.org/guide/en/elasticsearch/client/community/current/clients.html).
To make things secure, you can install the jetty plugin (https://github.com/sonian/elasticsearch-jetty), configure SSL, authentication and maybe add a IP restriction like creating a jetty-iprestriction.xml with the content bellow and adding a reference to it in elasticsearch.yml.
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="ESServer" class="org.eclipse.jetty.server.Server">
<Set name="handler">
<New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New class="org.eclipse.jetty.server.handler.IPAccessHandler">
<Call name="addWhite">
<!-- allowed server ip -->
<Arg>xxx.xxx.xxx.xxx</Arg>
</Call>
<Set name="handler">
<New class="com.sonian.elasticsearch.http.jetty.handler.JettyHttpServerTransportHandler"
id="HttpServerAdapterHandler">
<Set name="transport"><Ref id="ESServerTransport"/></Set>
</New>
</Set>
</New>
</Item>
<Item>
<New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"/>
</Item>
<Item>
<New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"/>
</Item>
</Array>
</Set>
</New>
</Set>
</Configure>

Resources