Matt meant to link to this Jira [1]. We will be writing a blog and updating the documentation guides in addition to the new property.
[1] https://issues.apache.org/jira/browse/NIFI-4761 Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jan 10, 2018, at 5:54 AM, Matt Gilman <[email protected]> wrote: > > Robert, James, All, > > NiFi has been updated to be a little more strict regarding incoming HTTP > requests. If the Host header does not comply with an expected value, the > request is rejected. Currently, the expected value comes from those .host > properties. What's happening is the proxy is likely passing through all > incoming header values. When NiFi sees the request, it appears as those it > was not meant for it so it's rejected. I believe there are two valid options > here: > > 1) Remove the Host header at the proxy. This should allow it to explicitly > set it to the NiFi Host when issuing the request instead of passing through > the incoming value. > 2) Update NiFi to allow whitelisting of expected Host values like we did for > context paths. I've created a JIRA for this option [1]. > > We'll make sure these get appropriately documented for folks running behind a > proxy. > > Thanks > > Matt > > [1] https://issues.apache.org/jira/browse/NIFI-4501 > <https://issues.apache.org/jira/browse/NIFI-4501> > > On Wed, Jan 10, 2018 at 5:00 AM, Robert R. Bruno <[email protected] > <mailto:[email protected]>> wrote: > James, > > Funny enough I was thinking of the same hack, but as you said sounds a bit > nasty. Hopefully there is a better solution. Also for me, I may not always > have local admin rights on my client machine which I believe is required to > change the hosts file. > > Thanks, > Robert > > > On Wed, Jan 10, 2018, 00:18 James Wing <[email protected] > <mailto:[email protected]>> wrote: > Robert, > > I had the same problem. One workaround I have used was to add the DNS name > to the /etc/hosts file with a local IP address, so that I could configure > that name in nifi.web.http.host and NiFi would still bind to the right IP. > It sounds like a nasty hack now that I describe it, but it worked. > > Perhaps someone else knows a more elegant configuration? > > Thanks, > > James > > On Tue, Jan 9, 2018 at 7:33 AM, Robert R. Bruno <[email protected] > <mailto:[email protected]>> wrote: > I just ran into this as well while trying out 1.5.0-SNAPSHOT. > > What is the solution where you are running nifi behind a proxy? I tried > setting nifi.web.http.host to my proxy ip but then nifi attempted to bind to > this ip address. > > Hopefully I am missing something. If not any chance a config value for > allowed proxies before the release? > > > > On Fri, Dec 15, 2017, 19:26 Mike Thomsen <[email protected] > <mailto:[email protected]>> wrote: > Thanks. Is that documented? > > On Fri, Dec 15, 2017 at 7:02 PM, Andy LoPresto <[email protected] > <mailto:[email protected]>> wrote: > Hi Mike, > > This is a recent change introduced in 1.5.0-SNAPSHOT (master). You can > resolve this by setting nifi.web.http.host in nifi.properties to the value of > SERVER_HERE. > > > Andy LoPresto > [email protected] <mailto:[email protected]> > [email protected] <mailto:[email protected]> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >> On Dec 15, 2017, at 3:32 PM, Mike Thomsen <[email protected] >> <mailto:[email protected]>> wrote: >> >> I get this error after I installed a new build: >> >> The request contained an invalid host header [SERVER_IP:8080] in the request >> [/]. Check for request manipulation or third-party intercept. >> >> >> In the logs it says: >> >> 2017-12-15 18:34:59,937 WARN [NiFi Web Server-66] >> o.a.n.w.s.HostHeaderSanitizationCustomizer Request host header >> [SERVER_HERE:8080] different from web hostname [(:8080)]. Overriding to >> [:8080/nifi/] >> 2017-12-15 18:34:59,938 WARN [NiFi Web Server-66] >> o.a.nifi.web.server.HostHeaderHandler Request host header [SERVER_HERE:8080] >> different from web hostname [localhost(:8080)]. Overriding to >> [localhost:8080/nifi/] >> 2017-12-15 18:35:00,059 WARN [NiFi Web Server-59] >> o.a.n.w.s.HostHeaderSanitizationCustomizer Request host header >> [SERVER_HERE:8080] different from web hostname [(:8080)]. Overriding to >> [:8080/favicon.ico] >> 2017-12-15 18:35:00,059 WARN [NiFi Web Server-59] >> o.a.nifi.web.server.HostHeaderHandler Request host header [SERVER_HERE:8080] >> different from web hostname [localhost(:8080)]. Overriding to >> [localhost:8080/favicon.ico] >> >> Never saw this with 1.4 and earlier. Any ideas? >> >> Thanks, >> >> Mike > > > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
