mayrom rabinovich created NIFI-7659:
---------------------------------------
Summary: NIFI dishonoring H-Proxy headers
Key: NIFI-7659
URL: https://issues.apache.org/jira/browse/NIFI-7659
Project: Apache NiFi
Issue Type: Bug
Components: Core UI
Affects Versions: 1.11.3
Environment: tested on fedora linux and windows, setup is nifi with
default config
Reporter: mayrom rabinovich
I found out that if you request the page /nifi (without a slash at the end)
NIFI redirects without checking the H-Proxy headers.
here is an example:
{code:java}
$ curl -v http://localhost:8080/nifi -H "X-ProxyScheme: https" -H "X-ProxyHost:
my.test.com" -H "X-ProxyPort: 9999"
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /nifi HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> X-ProxyScheme: https
> X-ProxyHost: my.test.com
> X-ProxyPort: 9999
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Sat, 18 Jul 2020 14:40:08 GMT
< Location: http://localhost:8080/nifi/
< Content-Length: 0
< Server: Jetty(9.4.26.v20200117)
{code}
as you can see I sent a request to [http://localhost:8080/nifi] with the proxy
headers to fake a request coming form a proxy, but the server ignored the
headers and sent that the location of the recourse is
[http://localhost:8080/nifi/] (instead of
[https://my.test.com:9999/nifi/)|https://my.test.com:9999)/] as specified by
the X-Proxy headers.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
