This is an automated email from the ASF dual-hosted git repository.

pvillard31 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 2654e7123f1 NIFI-16056 Document single host format for Proxy Host 
Headers (#11419)
2654e7123f1 is described below

commit 2654e7123f103b5f4404a827e9b06d2a5ee737a3
Author: David Handermann <[email protected]>
AuthorDate: Fri Jul 10 23:46:39 2026 -0500

    NIFI-16056 Document single host format for Proxy Host Headers (#11419)
    
    * NIFI-16056 Documented single host format for Proxy Host Headers
---
 nifi-docs/src/main/asciidoc/administration-guide.adoc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc 
b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index f7ed3cf5702..a2af47b3055 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -2732,7 +2732,12 @@ X-ProxyPort - the port the proxy is listening on
 X-ProxyContextPath - the path configured to map to the NiFi instance
 ....
 
-* If NiFi is running securely, any proxy needs to be authorized to proxy user 
requests. These can be configured in the NiFi UI through the Global Menu. Once 
these permissions are in place, proxies
+* NiFi expects a single host or host and port combination in `X-ProxyHost` or 
`X-Forwarded-Host` header values. When routing requests through multiple 
servers, some proxy servers append to existing
+values, producing a comma-separated string composed of multiple hosts. NiFi 
rejects comma-separated values with an `HTTP 421` status. Reverse proxy servers 
must be configured to disable appending to
+existing values, or unset input values before forwarding requests. Servers 
such as Apache HTTP 
link:https://httpd.apache.org/docs/2.4/mod/mod_proxy.html[mod_proxy] should set 
`ProxyAddHeaders` to
+`Off` to avoid producing invalid comma-separated values.
+
+* When running with HTTPS enabled, all proxy servers must be authorized to 
proxy user requests. These can be configured in the NiFi UI through the Global 
Menu. Once these permissions are in place, proxies
 can begin proxying user requests. The end user identity must be relayed in a 
HTTP header. For example, if the end user sent a request to the proxy, the 
proxy must authenticate the user. Following
 this the proxy can send the request to NiFi. In this request an HTTP header 
should be added as follows.
 

Reply via email to