Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.0.0-M4
-
None
Description
I'm confused with the admin docs for proxy configuration for 2.0.0-M4. The admin docs state:
By default, if NiFi is running securely it will only accept HTTP requests with a Host header matching the host[:port] that it is bound to. If NiFi is to accept requests directed to a different host[:port] the expected values need to be configured. This may be required when running behind a proxy or in a containerized environment. This is configured in a comma separated list in nifi.properties using the nifi.web.proxy.host property (e.g. localhost:18443, proxyhost:443). IPv6 addresses are accepted. Please refer to RFC 5952 Sections 4 and 6 for additional details.
However, the NiFi generated certficate seems to have the subjectAlternativeNames populated with the value of `nifi.web.proxy.host`
// nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java private Collection<String> getSubjectAlternativeNames(final Properties applicationProperties) { ... final String proxyHost = applicationProperties.getProperty(SecurityProperty.WEB_PROXY_HOST.getName()); if (!isBlank(proxyHost)) { subjectAlternativeNames.add(proxyHost); } ... }
From what I can tell from RFC5280, host:port is not a valid subjectAlternativeName. When I have tried different values for nifi.web.proxy.host only host or ipaddress worked, host:port and ipaddress:port did not work for me.
Attachments
Issue Links
- causes
-
-
- Resolved
-
- links to