chris snow created NIFI-13823:
---------------------------------
Summary: Inconsistency between nifi.web.proxy.host format and TLS
SubjectAlternativeNames
Key: NIFI-13823
URL: https://issues.apache.org/jira/browse/NIFI-13823
Project: Apache NiFi
Issue Type: Bug
Components: Configuration, Documentation & Website
Affects Versions: 2.0.0-M4
Reporter: chris snow
I'm confused with the admin docs for proxy configuration for 2.0.0-M4. The
admin docs state:
{color:#505f79}_By default, if NiFi is running securely it will only accept
HTTP requests with a Host header matching the host[:port] that it is bound to.
If NiFi is to accept requests directed to a different host[:port] the expected
values need to be configured. This may be required when running behind a proxy
or in a containerized environment. This is configured in a comma separated list
in nifi.properties using the nifi.web.proxy.host property (e.g.
localhost:18443, proxyhost:443). IPv6 addresses are accepted. Please refer to
RFC 5952 Sections 4 and 6 for additional details._{color}
However, the NiFi generated certficate seems to have the
subjectAlternativeNames populated with the value of `nifi.web.proxy.host`
{code:java}
//
nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java
private Collection<String> getSubjectAlternativeNames(final Properties
applicationProperties) {
...
final String proxyHost =
applicationProperties.getProperty(SecurityProperty.WEB_PROXY_HOST.getName());
if (!isBlank(proxyHost)) {
subjectAlternativeNames.add(proxyHost);
}
...
}
{code}
>From what I can tell from RFC5280, host:port is not a valid
>subjectAlternativeName. When I have tried different values for
>nifi.web.proxy.host only host or ipaddress worked, host:port and
>ipaddress:port did not work for me.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
