Swarup, First, thanks for the great email. Nice job troubleshooting this and sharing your findings with the community.
I'm more familiar with how these types of things get configured on NiFi Registry than NiFi, so I'm not as much help as others. But I did take a look and one thing I noticed was a difference between the startup config and the per-request config. On Startup, the whitelisted context paths are coming from the ServletContext FilterConfig [1]. During request handling, the whitelisted context paths are coming from the ApplicationContext, directly from NiFi Properties [2] [1] https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java#L41 [2] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java#L165 Ultimately, my assumption is that both of these property values *should* be backed by the same nifi.properties file. But it appears something is happening in your case/environment/situation that is causing the ServletContext and ApplicationContext to get configured/initialized differently. This could be something specific to your environment or it could be uncovering an edge-case bug in NiFi. I think others on this mailing list who are more familiar with how the ServletContext gets setup in NiFi might be able to help further on this and determine if there is a solution/workaround or bug that needs patching. Thanks, Kevin On Fri, Oct 11, 2019 at 4:55 AM Swarup Karavadi <r...@swazza.io> wrote: > > Greetings, > > I have deployed a single node unsecured NiFi cluster (I say cluster because > nifi.cluster.is.node is set to "true") as a stateful set on Kubernetes (AWS > EKS to be specific). The NiFi cluster sits behind an Nginx ingress. I have > configured the Nginx ingress to forward the appropriate headers to NiFi (when > deployed behind a reverse proxy) as described in the documentation. > > The path on the Nginx ingress which proxies traffic to the NiFi UI is > "/pie/ip". This same path has been whitelisted by setting the > "nifi.web.proxy.context.path" property to "/pie/ip". The way I am expecting > this setup to work is that when users navigate to http://foo.com/pie/ip in > the browser, they are shown a simple HTML page with redirect info and then > automatically redirected to http://foo.com/pie/ip/nifi where they can view > the NiFi canvas. Instead, the users are being redirected to > http://foo.com/nifi which results in a 404 response because there is no > '/nifi' path that has been configured on the Nginx ingress. > > I set the NiFi and Jetty Server log levels to DEBUG to understand what was > happening under the hood and this is what I got - > > On Startup (when the SanitizeContextPathFilter is initialized) - > 2019-10-11 06:07:26,206 DEBUG [main] o.a.n.w.filter.SanitizeContextPathFilter > SanitizeContextPathFilter received provided whitelisted context paths from > NiFi properties: /pie/ip > > On Request (when the actual request is made) - > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Context path: > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils On the request, the following context paths > were parsed from headers: > X-ProxyContextPath: /pie/ip > X-Forwarded-Context: null > X-Forwarded-Prefix: null > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Determined context path: /pie/ip > 2019-10-11 06:45:45,556 ERROR [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils The provided context path [/pie/ip] was not > whitelisted [] > 2019-10-11 06:45:45,556 ERROR [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Error determining context path on JSP page: > The provided context path [/pie/ip] was not whitelisted [] > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > o.a.n.w.filter.SanitizeContextPathFilter SanitizeContextPathFilter set > contextPath: > > You will notice from the above log entries that the path '/pie/ip' was > successfully whitelisted. Yet, when handling the request, the whitelisted > context paths array is empty and this causes the wrong redirect to happen on > the browser - and I can't figure out why this is happening or how I can fix > it. Has anyone come across this kind of problem before? Any help on this is > much appreciated. > > Cheers, > Swarup.
