[
https://issues.apache.org/jira/browse/NIFI-6152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384854#comment-17384854
]
Vincent Gaudissart commented on NIFI-6152:
------------------------------------------
Hi All.
I do not thing that removing the {{`request.isSecure()`}} is a good solution.
The reason that this method always returns `false` is that a request can only
be considered secure when Jetty handle the actual SSL/TLS.
In our case (I have the same problem), we are in a forwarded scenario, from an
ingress or a reverse proxy. In that scenario, the SSL/TLS is handled by another
process, which talks to Jetty via a non-secure channel (standard HTTP without
encryption). The fact that the connection is secure or not is then communicated
to jetty via "forwarded" headers.
This forwarded behavior can be controlled by a Jetty customizer
{{org.eclipse.jetty.server.ForwardedRequestCustomizer}} (in
replacement/conjonction with the
{{org.eclipse.jetty.server.SecureRequestCustomizer}} currently in use when
creating a new HttpConnexion in Apache Nifi).
However, I cannot test this hypothesis now (even if it seems simple), and for
now, I am also interested to find a workaround the current limitation.
Regards,
Vincent
> Allow OIDC authentication for nifi running behind a proxy server with SSL
> config
> --------------------------------------------------------------------------------
>
> Key: NIFI-6152
> URL: https://issues.apache.org/jira/browse/NIFI-6152
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: nik gonzalez
> Priority: Major
>
> org.apache.nifi.web.api.AccessResource.java first checks whether
> request.isSecure() before it proceeds with oidc authentication. This is a
> proposal to remove this restriction to allow oidc authentication when running
> nifi behind a reverse proxy (e.g., haproxy, nginx) configured with SSL.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
