Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.11.3
-
None
-
None
-
tested on fedora linux and windows, setup is nifi with default out of the box config
Description
I found out that if you request the page /nifi (without a slash at the end) NIFI redirects without checking the H-Proxy headers.
here is an example:
$ curl -v http://localhost:8080/nifi -H "X-ProxyScheme: https" -H "X-ProxyHost: my.test.com" -H "X-ProxyPort: 9999" * Trying 127.0.0.1:8080... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /nifi HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.68.0 > Accept: */* > X-ProxyScheme: https > X-ProxyHost: my.test.com > X-ProxyPort: 9999 > * Mark bundle as not supporting multiuse < HTTP/1.1 302 Found < Date: Sat, 18 Jul 2020 14:40:08 GMT < Location: http://localhost:8080/nifi/ < Content-Length: 0 < Server: Jetty(9.4.26.v20200117)
as you can see I sent a request to http://localhost:8080/nifi with the proxy headers to fake a request coming form a proxy, but the server ignored the headers and sent that the location of the recourse is http://localhost:8080/nifi/ (instead of https://my.test.com:9999/nifi/) as specified by the X-Proxy headers.