[
https://issues.apache.org/jira/browse/NIFI-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15617285#comment-15617285
]
Andy LoPresto commented on NIFI-2437:
-------------------------------------
I was able to add HSTS by default (if HTTPS is configured) pretty easily by
using a [custom
{{SecureRequestCustomizer}}|https://github.com/eclipse/jetty.project/commit/19d6e36ab961b9b8db97c66ebde973f36e37f959]
in {{JettyServer.java}}. An issue I encountered is that HSTS will not perform
the expected redirect of {{http://host:port/nifi}} to
{{https://host:port/nifi}} if client certificate authorization is the only
configured authentication mechanism. I believe this is because the browser does
not attempt to negotiate a TLS handshake for an {{http}} address, therefore the
client certificate is not provided, and NiFi is not listening for an HTTP
connection. In Firefox, for example, {{http://localhost:9443/nifi}} (when
{{https://localhost:9443/nifi}} has already been visited successfully and
provided the HSTS header in the response) attempts to connect to
{{http://www.localhost.com}}, and Chrome simply returns
{{net::ERR_EMPTY_RESPONSE}}.
However, HSTS does have the desired effect when running on a valid FQDN (i.e.
hosted on an addressed server or using a modified {{/etc/hosts}} file). After
modifying my hosts file to alias {{nifi.nifi.apache.org}} to {{127.0.0.1}} and
{{localhost}}, Chrome was able to resolve
{{http://nifi.nifi.apache.org:9443/nifi/}} to
{{https://nifi.nifi.apache.org:9443/nifi/}} by handling the {{307 Internal
Redirect}} response code from the server, but Firefox and Safari continued to
fail (no response received).
[Further research|http://serverfault.com/a/575126/109744] indicates Jetty may
require [custom
configuration|https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Redirecting_http_requests_to_https]
to manually respond to any HTTP connection with a {{403}} response code and
automatically redirect any {{403}} to the same page over HTTPS. The
documentation only describes doing this through {{web.xml}}, so I will continue
to investigate if this can be done through programmatic configuration.
> Enforce HSTS to require HTTPS connections if available
> ------------------------------------------------------
>
> Key: NIFI-2437
> URL: https://issues.apache.org/jira/browse/NIFI-2437
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Labels: security
>
> HTTP Strict Transport Security (HSTS) [1] [2] is a feature of HTTP which
> instructs browsers/clients to only communicate with a resource over HTTPS. It
> is implemented via a header sent in the response and future connections will
> require HTTPS.
> [1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> [2] https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
