[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013733#comment-18013733
]
Joe Witt commented on NIFI-14858:
---------------------------------
If I summarize perhaps unfavorably but I want to help highlight what this looks
like
"I have a specific workaround which addresses my specific problem - lets accept
that it enables weakened security and I didn't doc it so only people in the
know on how to use it will do so safely."
This has all the elements of what should rightly on projects like this be met
with a wall of 'no, thanks.'.
Instead lets completely reframe this to focus more on the valid architecture or
use case you're trying to unlock and what can/should we do to help that be done
in a manner which maintains our security posture.
"Load balancers which present different host names to the underlying host (NiFi
in this case)"
Let's discuss this more and the configuration options for this more.
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
