[jira] [Commented] (KNOX-1434) Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS

Wed, 12 Sep 2018 16:40:13 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612862#comment-16612862
 ] 

Vipin Rathor commented on KNOX-1434:
------------------------------------

Thanks to [~lmccay], we found that Knox Admin UI topology (manager.xml) is 
setting this HSTS to true, by default. I changed the 
strict.transport.enabled=false in 
/usr/hdp/current/knox-server/conf/topologies/manager.xml topology file for Knox 
UI and we don't see the redirect anymore.

In the favor of avoiding the "unsolicited" (and very annoying) browser redirect 
and to be consistent with other Knox topologies, I propose to turn off HSTS by 
default for Knox Admin UI. I'm attaching a trivial patch which help us achieve 
this. Thoughts/feedback/suggestion are welcome! Thanks.

> Visiting Knox Admin UI forces subsequent requests to other services redirect 
> to HTTPS
> -------------------------------------------------------------------------------------
>
>                 Key: KNOX-1434
>                 URL: https://issues.apache.org/jira/browse/KNOX-1434
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: AdminUI
>    Affects Versions: 1.0.0
>         Environment: HDP 3.0
> Knox 1.0.0
>            Reporter: Vipin Rathor
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> *Problem Description:*
> Visiting Knox Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict 
> Transport Security (HSTS) header for the host where Knox is running. Any 
> subsequent request to other service on the same host (e.g. Graphana, Ranger 
> etc.) over HTTP would get redirected to HTTPS due to this header.
> Please note that, this HSTS header is disabled in all Knox topologies by 
> default.
> Ref: 
> [https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security]
>  
> *Impact:*
> All the non-SSL requests to other services get redirected automatically to 
> HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or 
> some other error.
>  
> *Expected Behavior:*
> Unless HSTS is specifically enabled for Knox Admin UI, it should not set HSTS 
> header.
>  
> *Steps to reproduce:*
>  # Configure Knox with default topology as one normally would.
>  # Once Knox is up, visit Knox Admin UI
>  # Now, in the same browser session, visit any non-SSL service running on the 
> same Knox host (like Ranger UI on 6080).
>  # Browser will redirect this HTTP request to HTTPS.
>  # If one can carefully clear the HSTS header in browser, then redirection 
> will stop until the next time one visits Knox Admin UI again.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to