[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013732#comment-18013732
]
Lars Francke commented on NIFI-14858:
-------------------------------------
To elaborate on your question about Load Balancers: We see this in Kubernetes
environments where DNS names and IPs are "constantly" changing. I assume this
doesn't happen (as much) in more static environments.
*Load Balancers which pass through TLS*
{{- Load balancer forwards traffic to NiFi instances at different internal
hostnames (e.g., nifi-1.internal, nifi-2.internal)
- External clients connect to lb.company.com (or in this case some AWS name)
- NiFi certificates are issued for the internal hostnames, not the load
balancer hostname
- SNI from client contains "lb.company.com" but NiFi certificate has
"nifi-1.internal"}}
{{{}{}}}Proper certificates aren't always feasible:
{{- Dynamic Kubernetes pod names that change on restart, moving of nodes or
similar scenarios
- Certificate management policies that don't allow internal hostnames in public
certificates (because e.g. AWS does - in theory - allow adding more certs to
the LB at least to their ALB, not the NLB though I believe)}}
{{}}
{{This is what I can think of off the top of my head and which we have
encountered.}}
{{}}
{{Does that help?}}
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
