RepoFlow
Error Knowledge Base MAVEN DEFAULT_HTTP_BLOCKER

Blocked mirror for repositories (maven-default-http-blocker)

Maven refused to use an insecure HTTP repository URL and blocked the request using the built-in `maven-default-http-blocker` mirror.

Affected versions: Common on newer Maven versions that block plain HTTP repositories by default.

What This Error Means

Maven refused to use an insecure HTTP repository URL and blocked the request using the built-in maven-default-http-blocker mirror.

How to Fix It

  1. Change repository URLs from http:// to https:// wherever they are configured (POM(s), parent POM(s), and/or ~/.m2/settings.xml).
  2. If you use an internal repository manager (RepoFlow/Nexus/Artifactory), enable HTTPS and update your mirror URL to the HTTPS endpoint.
  3. If the URL is coming from a parent POM you don't control, override repository configuration in a controlled parent or use a company-standard settings.xml mirror that points to an HTTPS repository manager.
  4. Retry the build after removing all HTTP repository URLs.

Why It Happens

  • Your project (or a parent POM) declares a repository using http://.
  • Your settings.xml mirror points at an HTTP endpoint.
  • An internal repository manager is only reachable over HTTP (or is misconfigured to advertise HTTP).

How to Verify

  1. Re-run mvn -DskipTests package and confirm the maven-default-http-blocker message is gone.
  2. Confirm Maven is downloading from https://... repository URLs in the output (use mvn -X if needed).

Manual repository URL checks

  1. Find where the HTTP URL comes from by searching for http:// in your project POM(s), parent POM(s), and ~/.m2/settings.xml.
  2. Print effective settings to see mirrors and profiles that may be injecting repository URLs: mvn -q help:effective-settings.
  3. Run with debug to see which repository URL Maven is trying to reach: mvn -X -DskipTests package.

Common CLI Output

[ERROR] Blocked mirror for repositories: [central (http://repo.maven.apache.org/maven2/, default, releases)]
[ERROR] Failed to transfer artifact org.example:lib:pom:1.2.3 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [central (http://repo.maven.apache.org/maven2/, default, releases)]

Why Maven blocks HTTP repositories

  1. Maven downloads dependencies and metadata from repositories configured in your POM(s) and settings.xml.
  2. If a repository URL is plain HTTP, Maven can block it to prevent insecure dependency downloads.
  3. The maven-default-http-blocker entry is a special mirror Maven uses to stop accidental HTTP access.

Prevention Tips

  • Standardize on a single HTTPS mirror/repository manager endpoint for all environments.
  • Avoid declaring extra repositories in individual projects unless absolutely necessary.
  • Treat HTTP artifact repositories as a security issue, migrate them to HTTPS.

Where This Can Be Triggered

github.com/apache/maven/blob/maven-3.9.11/its/core-it-suite/src/test/java/org/apache/maven/it/MavenITmng7128BlockExternalHttpReactorTest.java

Maven's integration tests assert the exact "Blocked mirror for repositories ..." output when an HTTP repository is blocked (MNG-7128). - GitHub 

verifier.verifyTextInLog( "[ERROR] Failed to execute goal on project http-repository-in-pom: "
        + "Could not resolve dependencies for project org.apache.maven.its.mng7128:http-repository-in-pom:jar:1.0: "
        + "Failed to collect dependencies at junit:junit:jar:1.3: "
        + "Failed to read artifact descriptor for junit:junit:jar:1.3: "
        + "Could not transfer artifact junit:junit:pom:1.3 from/to maven-default-http-blocker (http://0.0.0.0/): "
        + "Blocked mirror for repositories: [insecure-http-repo (http://repo.maven.apache.org/, default, releases+snapshots)]" );

Need help or found a mistake? Contact RepoFlow support for questions.

Join our mailing list