[jira] [Commented] (KNOX-1434) Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS

Tue, 18 Sep 2018 10:59:23 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16619475#comment-16619475
 ] 

ASF subversion and git services commented on KNOX-1434:
-------------------------------------------------------

Commit cb9911a25a2dae1abfd6c1e5a8ef0ee865afa4d9 in knox's branch 
refs/heads/master from [~moresandeep]
[ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=cb9911a ]

KNOX-1434 - Disable strict transport for manager topology (Vipin Rathor via 
Sandeep More)


> Visiting Knox Admin UI forces subsequent requests to other services redirect 
> to HTTPS
> -------------------------------------------------------------------------------------
>
>                 Key: KNOX-1434
>                 URL: https://issues.apache.org/jira/browse/KNOX-1434
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: AdminUI
>    Affects Versions: 1.0.0
>         Environment: HDP 3.0
> Knox 1.0.0
>            Reporter: Vipin Rathor
>            Priority: Critical
>             Fix For: 1.2.0
>
>         Attachments: KNOX-1434.patch
>
>
> *Problem Description:*
> Visiting Knox Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict 
> Transport Security (HSTS) header for the host where Knox is running. Any 
> subsequent request to other service on the same host (e.g. Graphana, Ranger 
> etc.) over HTTP would get redirected to HTTPS due to this header.
> Please note that, this HSTS header is disabled in all Knox topologies by 
> default.
> Ref: 
> [https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security]
>  
> *Impact:*
> All the non-SSL requests to other services get redirected automatically to 
> HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or 
> some other error.
>  
> *Expected Behavior:*
> Unless HSTS is specifically enabled for Knox Admin UI, it should not set HSTS 
> header.
>  
> *Steps to reproduce:*
>  # Configure Knox with default topology as one normally would.
>  # Once Knox is up, visit Knox Admin UI
>  # Now, in the same browser session, visit any non-SSL service running on the 
> same Knox host (like Ranger UI on 6080).
>  # Browser will redirect this HTTP request to HTTPS.
>  # If one can carefully clear the HSTS header in browser, then redirection 
> will stop until the next time one visits Knox Admin UI again.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to