Robert, James, All, NiFi has been updated to be a little more strict regarding incoming HTTP requests. If the Host header does not comply with an expected value, the request is rejected. Currently, the expected value comes from those .host properties. What's happening is the proxy is likely passing through all incoming header values. When NiFi sees the request, it appears as those it was not meant for it so it's rejected. I believe there are two valid options here:
1) Remove the Host header at the proxy. This should allow it to explicitly set it to the NiFi Host when issuing the request instead of passing through the incoming value. 2) Update NiFi to allow whitelisting of expected Host values like we did for context paths. I've created a JIRA for this option [1]. We'll make sure these get appropriately documented for folks running behind a proxy. Thanks Matt [1] https://issues.apache.org/jira/browse/NIFI-4501 On Wed, Jan 10, 2018 at 5:00 AM, Robert R. Bruno <[email protected]> wrote: > James, > > Funny enough I was thinking of the same hack, but as you said sounds a bit > nasty. Hopefully there is a better solution. Also for me, I may not > always have local admin rights on my client machine which I believe is > required to change the hosts file. > > Thanks, > Robert > > On Wed, Jan 10, 2018, 00:18 James Wing <[email protected]> wrote: > >> Robert, >> >> I had the same problem. One workaround I have used was to add the DNS >> name to the /etc/hosts file with a local IP address, so that I could >> configure that name in nifi.web.http.host and NiFi would still bind to the >> right IP. It sounds like a nasty hack now that I describe it, but it >> worked. >> >> Perhaps someone else knows a more elegant configuration? >> >> Thanks, >> >> James >> >> On Tue, Jan 9, 2018 at 7:33 AM, Robert R. Bruno <[email protected]> >> wrote: >> >>> I just ran into this as well while trying out 1.5.0-SNAPSHOT. >>> >>> What is the solution where you are running nifi behind a proxy? I tried >>> setting nifi.web.http.host to my proxy ip but then nifi attempted to bind >>> to this ip address. >>> >>> Hopefully I am missing something. If not any chance a config value for >>> allowed proxies before the release? >>> >>> >>> >>> On Fri, Dec 15, 2017, 19:26 Mike Thomsen <[email protected]> wrote: >>> >>>> Thanks. Is that documented? >>>> >>>> On Fri, Dec 15, 2017 at 7:02 PM, Andy LoPresto <[email protected]> >>>> wrote: >>>> >>>>> Hi Mike, >>>>> >>>>> This is a recent change introduced in 1.5.0-SNAPSHOT (master). You can >>>>> resolve this by setting nifi.web.http.host in nifi.properties to the value >>>>> of SERVER_HERE. >>>>> >>>>> >>>>> Andy LoPresto >>>>> [email protected] >>>>> *[email protected] <[email protected]>* >>>>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 >>>>> >>>>> On Dec 15, 2017, at 3:32 PM, Mike Thomsen <[email protected]> >>>>> wrote: >>>>> >>>>> I get this error after I installed a new build: >>>>> >>>>> The request contained an invalid host header [SERVER_IP:8080] in the >>>>> request [/]. Check for request manipulation or third-party intercept. >>>>> >>>>> In the logs it says: >>>>> >>>>> 2017-12-15 18:34:59,937 WARN [NiFi Web Server-66] o.a.n.w.s. >>>>> HostHeaderSanitizationCustomizer Request host header >>>>> [SERVER_HERE:8080] different from web hostname [(:8080)]. Overriding to >>>>> [:8080/nifi/] >>>>> 2017-12-15 18:34:59,938 WARN [NiFi Web Server-66] >>>>> o.a.nifi.web.server.HostHeaderHandler >>>>> Request host header [SERVER_HERE:8080] different from web hostname >>>>> [localhost(:8080)]. Overriding to [localhost:8080/nifi/] >>>>> 2017-12-15 18:35:00,059 WARN [NiFi Web Server-59] o.a.n.w.s. >>>>> HostHeaderSanitizationCustomizer Request host header >>>>> [SERVER_HERE:8080] different from web hostname [(:8080)]. Overriding to >>>>> [:8080/favicon.ico] >>>>> 2017-12-15 18:35:00,059 WARN [NiFi Web Server-59] >>>>> o.a.nifi.web.server.HostHeaderHandler >>>>> Request host header [SERVER_HERE:8080] different from web hostname >>>>> [localhost(:8080)]. Overriding to [localhost:8080/favicon.ico] >>>>> >>>>> Never saw this with 1.4 and earlier. Any ideas? >>>>> >>>>> Thanks, >>>>> >>>>> Mike >>>>> >>>>> >>>>> >>>> >>
