[jira] [Updated] (YARN-11937) Yarn Proxy Behind a Reverse Proxy

[Bence Kosztolnik (Jira)]

     [ 
https://issues.apache.org/jira/browse/YARN-11937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bence Kosztolnik updated YARN-11937:
------------------------------------
    Attachment:     (was: image-2026-03-05-11-17-54-127.png)

> Yarn Proxy Behind a Reverse Proxy
> ---------------------------------
>
>                 Key: YARN-11937
>                 URL: https://issues.apache.org/jira/browse/YARN-11937
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.5.0
>            Reporter: Bence Kosztolnik
>            Assignee: Bence Kosztolnik
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2026-03-05-11-18-22-816.png
>
>
> h5. Description
> When the Yarn Proxy is deployed behind a reverse proxy that is also used in 
> application tracking URLs, the Yarn Proxy should redirect requests to that 
> proxy instead of attempting to proxy them internally.
> h5. Use Case
> Consider the following scenario:
>     •   A user runs a Spark job.
>     •   The Spark UI is hosted in the Spark History Server (SHS).
>     •   Multiple SHS instances are deployed for high availability (HA).
>     •   The tracking URL points to a Knox Gateway, which routes requests to 
> the available SHS instances.
> This setup ensures high availability for the tracking UI. If one SHS instance 
> becomes unavailable, another can continue serving the UI.
> h5. Problem Statement
> When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the 
> Yarn Proxy attempts to proxy the request back to the Knox Gateway. However, 
> this proxied request does not include the JWT token. As a result, Knox 
> initiates authentication instead of forwarding the request to the appropriate 
> SHS instance.
> h5. Proposed Solution
> For security reasons, the JWT token must not be forwarded to the tracking 
> URL. Therefore, when an application registers a tracking URL that includes a 
> specific flag indicating that it is served behind a reverse proxy, the Yarn 
> Proxy should redirect the user directly to the tracking URL instead of 
> attempting to proxy the request internally.
> h5. Config
> New config was created: +yarn.web-proxy.redirect-flag+
> !image-2026-03-05-11-18-22-816.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org