You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Curtis Ruck <cu...@gmail.com> on 2019/05/14 22:09:32 UTC
X-Forwarded-Context whitelisting not working
I am attempting (unsuccessfully) to configure multiple numbered unclustered
nifi instances behind a single reverse proxy vhost (external limitations on
single vhost and no clustering)
In my reverse proxy I have X-Forwarded-Context set and in debug logging
both CatchAllFilter and SanitizeContextPathFilter see the passed context
(/nifi1 ... /nifiN). In debug logging though, CatchAllFilter isn't seeing
any items from getWhitelistedContextPath() where as
SanitizeContextPathFilter does show the items in the
getWhitelistedContextPath().
Since CatchAllFilter extends SanitizeContextPathFilter, it should work
except CatchAllFilter isn't calling super.init() which means the
private whitelistedContextPaths never gets initialized.
Has anyone gotten Nifi working at a nested context path i.e. (/nifi1/nifi,
/nifi1/nifi-api)?
--
Curtis Ruck
Re: X-Forwarded-Context whitelisting not working
Posted by Curtis Ruck <cu...@gmail.com>.
Yes, went through that guide with a fine tooth comb. Then started enabling
debug logging and comparing log outputs.
The telling factor in the logs were these lines (/nifi1 in Sanitize and
nothing in CatchAll).
o.a.n.w.filter.SanitizeContextPathFilter - SanitizeContextPathFilter
received provided whitelisted context paths from NiFi properties: /nifi1
o.a.n.w.filter.CatchAllFilter - CatchAllFilter [index.jsp] received
provided whitelisted context paths from NiFi properties:
Then investigation into how whitelistedContextPaths gets set revealed the
likely culprit is the lack of a super.init(filterConfig) inside
CatchAllFilter.init().
--
Curtis Ruck
On Wed, May 15, 2019 at 8:50 AM Matt Gilman <ma...@gmail.com> wrote:
> Curtis,
>
> I haven't set this up recently but it was working the last time I tried
> it. Just wanted to ensure you that were following the guidance in our admin
> guide for standing up instances behind a proxy [1].
>
> Matt
>
> [1]
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
>
> On Tue, May 14, 2019 at 6:17 PM Curtis Ruck <cu...@gmail.com> wrote:
>
>> I am attempting (unsuccessfully) to configure multiple numbered
>> unclustered nifi instances behind a single reverse proxy vhost (external
>> limitations on single vhost and no clustering)
>>
>> In my reverse proxy I have X-Forwarded-Context set and in debug logging
>> both CatchAllFilter and SanitizeContextPathFilter see the passed context
>> (/nifi1 ... /nifiN). In debug logging though, CatchAllFilter isn't seeing
>> any items from getWhitelistedContextPath() where as
>> SanitizeContextPathFilter does show the items in the
>> getWhitelistedContextPath().
>>
>> Since CatchAllFilter extends SanitizeContextPathFilter, it should work
>> except CatchAllFilter isn't calling super.init() which means the
>> private whitelistedContextPaths never gets initialized.
>>
>> Has anyone gotten Nifi working at a nested context path i.e.
>> (/nifi1/nifi, /nifi1/nifi-api)?
>>
>> --
>> Curtis Ruck
>>
>
Re: X-Forwarded-Context whitelisting not working
Posted by Matt Gilman <ma...@gmail.com>.
Curtis,
I haven't set this up recently but it was working the last time I tried it.
Just wanted to ensure you that were following the guidance in our admin
guide for standing up instances behind a proxy [1].
Matt
[1]
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
On Tue, May 14, 2019 at 6:17 PM Curtis Ruck <cu...@gmail.com> wrote:
> I am attempting (unsuccessfully) to configure multiple numbered
> unclustered nifi instances behind a single reverse proxy vhost (external
> limitations on single vhost and no clustering)
>
> In my reverse proxy I have X-Forwarded-Context set and in debug logging
> both CatchAllFilter and SanitizeContextPathFilter see the passed context
> (/nifi1 ... /nifiN). In debug logging though, CatchAllFilter isn't seeing
> any items from getWhitelistedContextPath() where as
> SanitizeContextPathFilter does show the items in the
> getWhitelistedContextPath().
>
> Since CatchAllFilter extends SanitizeContextPathFilter, it should work
> except CatchAllFilter isn't calling super.init() which means the
> private whitelistedContextPaths never gets initialized.
>
> Has anyone gotten Nifi working at a nested context path i.e. (/nifi1/nifi,
> /nifi1/nifi-api)?
>
> --
> Curtis Ruck
>
Re: X-Forwarded-Context whitelisting not working
Posted by Craig Knell <cr...@gmail.com>.
Nope
We tried.
Ended up using virtual host ie nifi1.domain.com
Best regards
Craig
> On 15 May 2019, at 06:09, Curtis Ruck <cu...@gmail.com> wrote:
>
> I am attempting (unsuccessfully) to configure multiple numbered unclustered nifi instances behind a single reverse proxy vhost (external limitations on single vhost and no clustering)
>
> In my reverse proxy I have X-Forwarded-Context set and in debug logging both CatchAllFilter and SanitizeContextPathFilter see the passed context (/nifi1 ... /nifiN). In debug logging though, CatchAllFilter isn't seeing any items from getWhitelistedContextPath() where as SanitizeContextPathFilter does show the items in the getWhitelistedContextPath().
>
> Since CatchAllFilter extends SanitizeContextPathFilter, it should work except CatchAllFilter isn't calling super.init() which means the private whitelistedContextPaths never gets initialized.
>
> Has anyone gotten Nifi working at a nested context path i.e. (/nifi1/nifi, /nifi1/nifi-api)?
>
> --
> Curtis Ruck