[
https://issues.apache.org/jira/browse/NIFI-5146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy LoPresto updated NIFI-5146:
--------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Ability to configure HTTP and HTTPS simultaneously causes HostHeader issues
> ---------------------------------------------------------------------------
>
> Key: NIFI-5146
> URL: https://issues.apache.org/jira/browse/NIFI-5146
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.6.0
> Reporter: Aldrin Piri
> Assignee: Andy LoPresto
> Priority: Major
> Labels: hostname, http, https, security
> Fix For: 1.7.0
>
>
> The host header whitelisting evaluation is only done when NiFi is configured
> in secure mode, determined by the setting of an HTTPS port. (see
> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L161
> and
> [https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L190).]
> However, in the case where both are enabled, the HTTP port is not enumerated
> in possible combinations and explicit inclusions of a given socket that would
> be HTTP is stripped via
> [https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L143.]
> It is possible that concurrently running HTTP and HTTPS no longer makes
> sense, in which case we could evaluate the relevant properties and prevent
> startup for an unintended configuration. Alternatively, we would need to
> adjust the custom hostname interpretation to also include consideration for
> the HTTP port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
