Aldrin Piri created NIFI-5146:
---------------------------------
Summary: Ability to configure HTTP and HTTPS simultaneously causes
HostHeader issues
Key: NIFI-5146
URL: https://issues.apache.org/jira/browse/NIFI-5146
Project: Apache NiFi
Issue Type: Improvement
Reporter: Aldrin Piri
The host header whitelisting evaluation is only done when NiFi is configured in
secure mode, determined by the setting of an HTTPS port. (see
https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L161
and
[https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L190).]
However, in the case where both are enabled, the HTTP port is not enumerated in
possible combinations and explicit inclusions of a given socket that would be
HTTP is stripped via
[https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L143.]
It is possible that concurrently running HTTP and HTTPS no longer makes sense,
in which case we could evaluate the relevant properties and prevent startup for
an unintended configuration. Alternatively, we would need to adjust the custom
hostname interpretation to also include consideration for the HTTP port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
