[jira] [Commented] (NIFI-5508) Support disabling wantClientAuth when running behind a reverse proxy.

Tue, 14 Aug 2018 11:19:28 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16580216#comment-16580216
 ] 

ASF GitHub Bot commented on NIFI-5508:
--------------------------------------

Github user ruckc commented on the issue:

    https://github.com/apache/nifi/pull/2944
  
    So, i can try adjusting everything as needed, and close this PR and create 
a new one from a branch with the right name.
    
    On the actual details.  S2S doesn't work behind a reverse proxy currently.
    So, then the arguable right answer would be to support pulling certificates 
from a Reverse Proxy Request Header, and try to keep X509 Authentication 
working as it is currently.
    
    So S2S, this would only apply to HTTP S2S API.  I'm not very familiar with 
this, does the S2S HTTP API all in a certain context path i.e. /nifi-api/s2s?  
If the UI never accesses that context path, then X509 Authentication only needs 
to be enabled on that path, not the entire server.  We should be able to do 
that by triggering an SSL/TLS renegotiation needing/wanting client 
authentication.



> Support disabling wantClientAuth when running behind a reverse proxy.
> ---------------------------------------------------------------------
>
>                 Key: NIFI-5508
>                 URL: https://issues.apache.org/jira/browse/NIFI-5508
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.7.0, 1.7.1
>         Environment: Reverse Proxy & trying to use other credential provider 
> when the reverse proxy provides a client certificate itself.
>            Reporter: Curtis W Ruck
>            Priority: Major
>              Labels: rever
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> As discussed on mailing list.
> JettyServer always calls either setNeedClientAuth(true) or 
> setWantClientAuth(true).
> When used with a reverse proxy that has a client certificate, it is 
> impossible currently to use other credential providers as the X509 
> authentication takes precedence.
> Adding the ability to disable wantClientAuth via a NiFi property would enable 
> the ability to leverage existing SSO solutions behind a reverse proxy.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to