0

HSTS is not showing up as enabled in Nessus Scans on the port serving Nexus 3.16.1-02

Hello,

First time posting -

I'm trying to get HSTS enabled on Nexus OSS 3.16.1-02

From what I've read, this is enabled by default in the jetty-https.xml file for the application.

I've created an edited jetty-ssl.xml and added it to the /etc/jetty/ directory and the nexus.properties args for which xml files to call.

After rebooting the application and looking at the logs, everything looks good. The application is available, but Nessus scans for the HSTS vulnerability are still coming back positive.

The default https://localhost:443/nexus is currently configured behind an F5 reverse-proxy and HSTS is enabled on the F5, ssl is enabled in the application as well, terminating on port 443.

nexus.properties is calling for the jetty.xml,jetty-https.xml,jetty-ssl.xml,jetty-requestlog.xml when the application starts.

Any additional information on why this might coming up still would be greatly appreciated.

Thank you,

MCarrica

This is the nexus.properties

application-port-ssl=443
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-ssl.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
nexus-context-path=/nexus

This is from the jetty-https.xml for the HSTS enabled

Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>

Nessus scans are still showing HSTS is not enabled on port 443 on the server that is serving the application

J_D
  • 740
  • 8
  • 17
MCarrica
  • 21
  • 4
  • I've finally managed to resolve this. – MCarrica Jun 13 '19 at 21:43
  • I came across a lot of documentation on this, an over abundance, but no real direct documentation from Sonatype other than this is "enabled by default" in the application. I had to create a jetty-rewrite.xml to finally get this to work. The app now only calls the jetty.xml, jetty-https.xml, jetty-requestlog.xml and the jetty-rewrite.xml that I added in. I'll post the contents of the rewrite for anyone else not familiar entirely familiar with this. – MCarrica Jun 13 '19 at 21:47

1 Answers1

0

Here are the contents of the rewrite.xml

<Configure id="Server" class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- configure rewrite handler                                   --> 
    <!-- =========================================================== -->
    <Get id="oldhandler" name="handler"/>

    <Set name="handler">
     <New id="Rewrite" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
      <Set name="handler"><Ref id="oldhandler"/></Set>
      <Set name="rewriteRequestURI">true</Set>
      <Set name="rewritePathInfo">true</Set>
      <Set name="originalPathAttribute">requestedPath</Set>

<Call name="addRule">
        <Arg>
          <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
            <Set name="pattern">/*</Set>
            <Set name="name">Strict-Transport-Security</Set>
            <Set name="value">max-age=31536000; includeSubDomains</Set>
          </New>
        </Arg>
      </Call>
     </New>
    </Set>

</Configure>
MCarrica
  • 21
  • 4