exceptionfactory opened a new pull request, #9680: URL: https://github.com/apache/nifi/pull/9680
# Summary [NIFI-14209](https://issues.apache.org/jira/browse/NIFI-14209) Restructures application HTTP `Host` header validation, removing the `HostHeaderHandler` and adding the `HostPortValidatorCustomizer` in the framework Jetty Server. The default behavior of the [SecureRequestCustomizer](https://github.com/jetty/jetty.project/blob/413a15d6d9baddcb7d4d83e245ebcc1a0eeacfa1/jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L62) in Jetty 12 requires TLS [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication) checking, which enforces that the requested `Host` header or authority must match one of the DNS Subject Alternative Names on the server certificate. When the HTTP request does not include a valid matching DNS name in the `Host` header, the `SecureRequestCustomizer` returns an HTTP 400 Bad Request with `Invalid SNI` as the reason. The check disallows the use of IP addresses and enforces DNS names matching the configured server certificate, which obviates much of the validation logic previously implemented in the `HostHeaderHandler`. The TLS SNI check does not validate the requested port, which is an optional part of the `Host` header. Changes in this pull request introduce the `HostPortValidatorCustomizer` with a configurable property for valid ports based on the existing `nifi.web.proxy.host` property. The new class checks the requested port for secure HTTPS requests and returns an HTTP 421 Misdirected Request status for invalid port numbers. New test methods for the Jetty `StandardServerProvider` confirm the expected behavior of both TLS SNI checking and host port validation with requests containing custom `Host` headers. Additional changes include streamlining construction of the `RequestUriBuilder` using only the `HttpServletRequest`, which contains the list of allowed context paths for request. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-00000` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-00000` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
