[GitHub] nifi pull request #2410: Updating proxy documentation

Thu, 18 Jan 2018 19:26:45 -0800 

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2410#discussion_r162530407
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -2645,6 +2645,15 @@ documentation of the proxy for guidance for your 
deployment environment and use
     ...
     ....
     
    +* If NiFi is running securely, configuration must be updated to allow 
expected Host and context paths HTTP headers.
    +
    +** By default, NiFi will only accept HTTP requests with a Host header 
matching the host[:port] that it is bound to. If NiFi is to accept requests 
directed to a different
    +host[:port] the expected values need to be configured. This may be 
required when running behind a proxy or in a containerized environment. This is 
configured in a comma
    +separated list in _nifi.properties_ using the `nifi.web.proxy.host` 
property. (e.g. localhost:18443, proxyhost:443)
    +
    +** By default, NiFi will accept any HTTP requests with a 
X-ProxyContextPath or X-Forwarded-Context header. However, NiFi can be set up 
to only allow specific values by configuring a
    --- End diff --
    
    I do not believe this understanding (or at least how I am reading it) is 
correct. 
    
    * NiFi always parses these values from the incoming request, regardless of 
whether it is "secure" or "plaintext". 
    * NiFi will *not* accept any value from this header unless it is 
whitelisted. 
    * In the event an incoming request has an `X-ProxyContextPath` or 
`X-Forwarded-Context` header value that is not present in the whitelist, the 
"An unexpected error has occurred" page will be shown, and the following will 
appear in `nifi-app.log`:
    
    ```
    2018-01-18 19:21:19,129 ERROR [NiFi Web Server-17] 
org.apache.nifi.web.util.WebUtils The provided context path 
[/https://thisisdefinitelynotarealsite.com/malicious.js";] was not whitelisted []
    2018-01-18 19:21:26,715 ERROR [NiFi Web Server-77] 
org.apache.nifi.web.util.WebUtils The provided context path 
[/https://thisisdefinitelynotarealsite.com/malicious.js";] was not whitelisted []
    ```
    * For *any* value expected to be present in these headers (for example, a 
modified context path due to a proxy), the value must be defined in 
`nifi.web.proxy.context.path`
    
    ```
    2018-01-18 19:24:18,685 ERROR [NiFi Web Server-84] 
org.apache.nifi.web.util.WebUtils The provided context path [/localhost:8080] 
was not whitelisted []
    2018-01-18 19:24:28,763 ERROR [NiFi Web Server-17] 
org.apache.nifi.web.util.WebUtils The provided context path [/localhost:8080] 
was not whitelisted []
    2018-01-18 19:24:52,234 ERROR [NiFi Web Server-81] 
org.apache.nifi.web.util.WebUtils The provided context path [/nifi] was not 
whitelisted []
    ```


---

Reply via email to