Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5146

Ability to configure HTTP and HTTPS simultaneously causes HostHeader issues

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.0
    • Fix Version/s: 1.7.0
    • Component/s: None

      Description

      The host header whitelisting evaluation is only done when NiFi is configured in secure mode, determined by the setting of an HTTPS port.  (see https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L161 and https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L190).

      However, in the case where both are enabled, the HTTP port is not enumerated in possible combinations and explicit inclusions of a given socket that would be HTTP is stripped via https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L143.

      It is possible that concurrently running HTTP and HTTPS no longer makes sense, in which case we could evaluate the relevant properties and prevent startup for an unintended configuration.  Alternatively, we would need to adjust the custom hostname interpretation to also include consideration for the HTTP port.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                aldrin Aldrin Piri
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: