This is an automated email from the ASF dual-hosted git repository.
pvillard31 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 2654e7123f1 NIFI-16056 Document single host format for Proxy Host
Headers (#11419)
2654e7123f1 is described below
commit 2654e7123f103b5f4404a827e9b06d2a5ee737a3
Author: David Handermann <[email protected]>
AuthorDate: Fri Jul 10 23:46:39 2026 -0500
NIFI-16056 Document single host format for Proxy Host Headers (#11419)
* NIFI-16056 Documented single host format for Proxy Host Headers
---
nifi-docs/src/main/asciidoc/administration-guide.adoc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index f7ed3cf5702..a2af47b3055 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -2732,7 +2732,12 @@ X-ProxyPort - the port the proxy is listening on
X-ProxyContextPath - the path configured to map to the NiFi instance
....
-* If NiFi is running securely, any proxy needs to be authorized to proxy user
requests. These can be configured in the NiFi UI through the Global Menu. Once
these permissions are in place, proxies
+* NiFi expects a single host or host and port combination in `X-ProxyHost` or
`X-Forwarded-Host` header values. When routing requests through multiple
servers, some proxy servers append to existing
+values, producing a comma-separated string composed of multiple hosts. NiFi
rejects comma-separated values with an `HTTP 421` status. Reverse proxy servers
must be configured to disable appending to
+existing values, or unset input values before forwarding requests. Servers
such as Apache HTTP
link:https://httpd.apache.org/docs/2.4/mod/mod_proxy.html[mod_proxy] should set
`ProxyAddHeaders` to
+`Off` to avoid producing invalid comma-separated values.
+
+* When running with HTTPS enabled, all proxy servers must be authorized to
proxy user requests. These can be configured in the NiFi UI through the Global
Menu. Once these permissions are in place, proxies
can begin proxying user requests. The end user identity must be relayed in a
HTTP header. For example, if the end user sent a request to the proxy, the
proxy must authenticate the user. Following
this the proxy can send the request to NiFi. In this request an HTTP header
should be added as follows.