Routing Rules

As an adminstrator of a Nexus Repository Manager instance you may want to prevent it from making certain requests to upstream repositories. This could be used to prevent leaking the names of internal projects to external registries, or to prevent a name hijacking attack where a malicious user creates packages in a registry with names used by your internal projects.

Creating or Modifying a Routing Rule

The Routing Rules section of the interface can be found in the Adminstration section under Repository. A user will need to have the nx-all privilege to view or make changes to routing rules. To edit a routing rule select it from the list or to create a new one click the Create Routing Rule button in the toolbar.

Routing rules have two modes: BLOCK and ALLOW. When BLOCK is chosen if one of the matchers matches the request path then the request will be blocked, otherwise it will be allowed. If a rule uses ALLOW mode then the request path must be matched by at least one of the matchers or it will be blocked.

Each routing rule must define one or more matchers; these must be valid regular expressions as allowed by Java. Defining these may require some understanding of URIs used by formats; alternatively one could try to keep matchers simple and match your company name, for example  .*sonatype.*. With regular expressions its possible to create matchers for a wide variety of scenarios, however, one should keep in mind that regular expressions can be expensive to evalaute and in extreme cases lead to a Regular Expression Denial of Service.

Testing Routing Rules

Below the routing rule editor is a section to help test the rule. With this you could specify a possible request path (for example copying one from a search result or from the request log) which will verify whether the request would be allowed or blocked by the rule as written. As noted in the subtext, request paths will always begin with a leading slash which is supplied by the test tool automatically.

Deleting a Routing Rule

Routing rules can be removed by using the Delete Routing Rule button from the toolbar while viewing a routing rule. In order for the delete to be successful the rule must not be assigned to any repositories.

Assigning a Rule to a Repository

While editing a proxy repository there is a section titled Routing Rule which allows the user to select a previously created routing rule to use for the repository. Entering text into the field will allow you to select the routing rule name from a filtered list of routing rules. Failing to choose one will clear out the field when it loses focus. Click the triangle on the right to display all options. For more information see Repository Management.