Swarup, Agreed with Kevin, very nice write-up on the scenario!
Would you please provide the original request as sent by Nginx, along with your configuration pertaining to NiFi in Nginx? We can set up some test cases to reproduce what's happening and get a JIRA filed if there's an edge case not being handled by NiFi. On Fri, Oct 11, 2019 at 9:30 AM Kevin Doran <kdo...@apache.org> wrote: > Swarup, > > First, thanks for the great email. Nice job troubleshooting this and > sharing your findings with the community. > > I'm more familiar with how these types of things get configured on > NiFi Registry than NiFi, so I'm not as much help as others. But I did > take a look and one thing I noticed was a difference between the > startup config and the per-request config. > > On Startup, the whitelisted context paths are coming from the > ServletContext FilterConfig [1]. > > During request handling, the whitelisted context paths are coming from > the ApplicationContext, directly from NiFi Properties [2] > > [1] > https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/filter/SanitizeContextPathFilter.java#L41 > [2] > https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java#L165 > > Ultimately, my assumption is that both of these property values > *should* be backed by the same nifi.properties file. But it appears > something is happening in your case/environment/situation that is > causing the ServletContext and ApplicationContext to get > configured/initialized differently. This could be something specific > to your environment or it could be uncovering an edge-case bug in > NiFi. > > I think others on this mailing list who are more familiar with how the > ServletContext gets setup in NiFi might be able to help further on > this and determine if there is a solution/workaround or bug that needs > patching. > > Thanks, > Kevin > > On Fri, Oct 11, 2019 at 4:55 AM Swarup Karavadi <r...@swazza.io> wrote: > > > > Greetings, > > > > I have deployed a single node unsecured NiFi cluster (I say cluster > because nifi.cluster.is.node is set to "true") as a stateful set on > Kubernetes (AWS EKS to be specific). The NiFi cluster sits behind an Nginx > ingress. I have configured the Nginx ingress to forward the appropriate > headers to NiFi (when deployed behind a reverse proxy) as described in the > documentation. > > > > The path on the Nginx ingress which proxies traffic to the NiFi UI is > "/pie/ip". This same path has been whitelisted by setting the > "nifi.web.proxy.context.path" property to "/pie/ip". The way I am expecting > this setup to work is that when users navigate to http://foo.com/pie/ip > in the browser, they are shown a simple HTML page with redirect info and > then automatically redirected to http://foo.com/pie/ip/nifi where they > can view the NiFi canvas. Instead, the users are being redirected to > http://foo.com/nifi which results in a 404 response because there is no > '/nifi' path that has been configured on the Nginx ingress. > > > > I set the NiFi and Jetty Server log levels to DEBUG to understand what > was happening under the hood and this is what I got - > > > > On Startup (when the SanitizeContextPathFilter is initialized) - > > 2019-10-11 06:07:26,206 DEBUG [main] > o.a.n.w.filter.SanitizeContextPathFilter SanitizeContextPathFilter received > provided whitelisted context paths from NiFi properties: /pie/ip > > > > On Request (when the actual request is made) - > > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Context path: > > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils On the request, the following context > paths were parsed from headers: > > X-ProxyContextPath: /pie/ip > > X-Forwarded-Context: null > > X-Forwarded-Prefix: null > > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Determined context path: /pie/ip > > 2019-10-11 06:45:45,556 ERROR [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils The provided context path [/pie/ip] was > not whitelisted [] > > 2019-10-11 06:45:45,556 ERROR [NiFi Web Server-23] > org.apache.nifi.web.util.WebUtils Error determining context path on JSP > page: The provided context path [/pie/ip] was not whitelisted [] > > 2019-10-11 06:45:45,556 DEBUG [NiFi Web Server-23] > o.a.n.w.filter.SanitizeContextPathFilter SanitizeContextPathFilter set > contextPath: > > > > You will notice from the above log entries that the path '/pie/ip' was > successfully whitelisted. Yet, when handling the request, the whitelisted > context paths array is empty and this causes the wrong redirect to happen > on the browser - and I can't figure out why this is happening or how I can > fix it. Has anyone come across this kind of problem before? Any help on > this is much appreciated. > > > > Cheers, > > Swarup. >
