Getting "Blocked mirror for repositories" maven error even after adding mirrors

Question

In my past project I had a problem with dependencies starting with http, just like this one Maven Build Failure -- DependencyResolutionException . Solution was to add mirrors for the project worked fine. Though now on another project I use the same dependencies, have the same setup and I am still getting the error. Any thoughts?

Answer 1

Maven now disables all insecure http://* mirrors by default. Here is explanation from maven mainteners: http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”. The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.

The solution (not recommended for security reasons mentioned above) may be to remove <blocked> section from mirror list in default Maven settings.xml file (/usr/share/maven/conf/settings.xml)

Update:

We can find there are 2 settings.xml in two Maven paths:

1. The Maven install: ${maven.home}/conf/settings.xml
2. A user's install: ${user.home}/.m2/settings.xml

If you do not want to edit anything in the default settings in Maven install. You can add a new mirror with the same ID to overwrite this settings. Add below inside settings > mirrors section:

<mirror>
    <id>maven-default-http-blocker</id>
    <url>http://127.0.0.1/dont-go-here</url>
    <mirrorOf>dummy</mirrorOf>
    <blocked>false</blocked>
</mirror>

Answer 2

If I had to guess, you're running the latest Maven, which disables HTTP. Try downgrading to Maven 3.6.

[Edit] That said, Stanislav's answer is the most correct.

Answer 3

C:-> Users-> your_user_name -> .m2 -> settings.xml

Adding this mirror to your settings.xml file.

<mirror>
  <id>jaspersoft-third-party-mirror</id>
  <mirrorOf>jaspersoft-third-party</mirrorOf>
  <url>http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
  <blocked>false</blocked>
</mirror>

Answer 4

If Stanislav Kardashov's solution doesn't help, just remove (or comment out) the whole http-blocker mirror in maven settings.xml.

Path (as pointed out in Stanislavs answer): /usr/share/maven/conf/settings.xml

    <!--
    <mirror>
      <id>maven-default-http-blocker</id>
      <mirrorOf>external:http:*</mirrorOf>
      <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
      <url>http://0.0.0.0/</url>
      <blocked>true</blocked>
    </mirror>
        -->

Answer 5

Try converting the mirror from http to https if the maven repository that you are using have a secure endpoint available. This worked for me in case of confluent.

Answer 6

Override that mirror, let it react on dummy protocol. In the local ${HOME}/.m2/settings.xml specify:

    <mirrors>
        <mirror>
            <id>maven-default-http-blocker</id>
            <mirrorOf>external:dummy:*</mirrorOf>
            <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
            <url>http://0.0.0.0/</url>
            <blocked>true</blocked>
        </mirror>
    </mirrors>

Answer 7

Just thought I'd add what worked for me since I worked on this for over an hour and don't see my particular solution listed anywhere in this thread.

I have successfully built a certain maven project on my PC for years now, and have been training a colleague on how to build it himself on his mac. He kept getting blocked mirror errors, while I wasn't -- even though we are using the same version of maven (3.8.1) and the same exact project repository/branch.

We tried many of the suggestions in this thread (and elsewhere) but nothing was helping. I decided to see where our settings files differed. This was when I realized that he was using a local settings.xml file (located in his .m2 directory), and that I did not have that settings.xml file inside my .m2. I found that I was using the global settings.xml that had come with maven, in the conf directory under the main maven install directory (.../apache-maven-3.8.1/conf/settings.xml). I had never modified this config file. The global settings file included a mirrors section, but the local one did not.

I'm not really sure what sequence of events caused my colleague to have this user-specific settings file when I didn't -- perhaps something about the mac install vs PC.

So I had my colleague rename the .m2 settings file to settings.txt, in order to disable it and force maven to use the global one. The first try didn't work, but then when he edited the global settings.xml mirror section to have <blocked>false</blocked> instead of true: VOILA problem fixed. It built successfully on the next attempt.

Answer 8

Works like a charm by commenting this block script of D:\installer\IntelliJ IDEA 2022.1\plugins\maven\lib\maven3\conf\settings.xml

<!-- <mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror> -->

Answer 9

It is recommended to use https endpoint for your repo in setting file. In order to resolve or you can say skip default maven setting.xml . Then click on Override checkbox when you set your user setting.xml file . Eg. In IntelliJ , File —-> Settings —-> Buld, Execution,Deployment —-> Build Tools —-> Maven —-> User setting file —> click Override check box

In your user setting.xml , remove below tag if present.

Above steps will solve your problem.

Answer 10

Intellij Solution here.

So if you've tried everything and it still doesn't work, go to Settings > Build , Execution, Deployment > Build Tools > Maven and change the user settings to the location of your settings.xml file. In my case the default pointed to the .m2 folder:

but the settings file was in the Maven_Home folder. I just changed it to that and the mirror blocked error went away. Remember to do this whenever you delete your .m2 and/or .idea folders.

Answer 11

I already had a mirror in my settings. So I just needed to add the new selector external:http:*

Example of what worked for me:

<mirrors>
    <mirror>
        <id>example.mirror.nexus</id>
        <mirrorOf>external:http:*</mirrorOf>
        <name>My Maven Repository</name>
        <url>http://example.com/my/content/</url>
    </mirror>
</mirrors>

Answer 12

If the other solutions didn't work, try deleting the .m2/repository folder and build again. This worked for me :)

Answer 13

First, the reason behind that is now the latest Maven disables the HTTP artifacts repos.

So, the solution will be:

1. Try to use the HTTPS artifacts repo if it is available and supported.

Example:

<repository>
  <id>primefaces.org</id>
  <name>PrimeFaces Maven Repository</name>
  <!-- use the [https] repo, to avoid the new mvn default blocking mirror that blocks HTTP repos -->
  <url>https://repository.primefaces.org</url>
  <!-- <url>http://repository.primefaces.org</url> -->
</repository>

2. If the HTTPS artifacts repo is not available,
   so you need to a dummy mirror for (this HTTP artifacts repo) to override the new mvn default blocking mirror that blocks HTTP repos inside your settings.xml config file.

Example:

<!-- 
A dummy mirror for (EclipseLink) to override the new mvn default blocking mirror that blocks HTTP repos
and the old eclipselink is ONLY provided by the http repo
FYI, the new eclipselink versions ( >= 2.4.2 ) are published to Maven Central where no additional repository configuration will be required.
EclipseLink 2.4.2 and Later         >>  http://download.eclipse.org/rt/eclipselink/maven.repo
More info:
https://wiki.eclipse.org/EclipseLink/Maven 
-->
<mirrors>
  <mirror>
      <id>eclipselink-mirror</id>
      <name>EclipseLink HTTP Mirror</name>
      <url>http://download.eclipse.org/rt/eclipselink/maven.repo/</url>
      <mirrorOf>eclipselink</mirrorOf>
  </mirror>
</mirrors>

Hints:

• For security reasons, you should try to avoid using HTTP repos as possible.
• In case it is hard to apply that, it is not recommended at all to permit ALL HTTP repos, but only permit (add mirror) for the selected ones.

Answer 14

The solution that worked for me was adding !repositoryId in the mirrorOf. Like this it skips the provided repository and blocks all other that use http.

 <mirror>
      <id>maven-default-http-blocker</id>
      <mirrorOf>!repositoryId,external:http:*</mirrorOf>
      <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
      <url>http://0.0.0.0/</url>
      <blocked>true</blocked>
</mirror>