HTTPS host header restriction and VM in OpenStack

["QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)" <em...@safrangroup.com>]

Hi,

We are trying to install and set Nifi on a VM in an OpenStack private cloud. The installation of Nifi on the VM is ok and running without problems when using HTTP as protocol.
However, when we try to set HTTPS, then we encounter several problems.
Let me explain how this is set (regarding network configuration) with OpenStack.
When a VM is created and started in OpenStack, a private IP address is attributed to this VM, say 192.168.10.10. OpenStack is then able to also attribute some called floating IP address to this VM, which make the VM accessible from outside the cloud (like a public IP). This IP, say 1.2.3.4, is then reachable through a web browser, as http://1.2.3.4, thus this is how we can access our Nifi web interface using HTTP protocol.

Here is a small representation of the translation

MyComputer --- ask http://1.2.3.4 ------> OpenStack ----> NAT to VM interface ------> 192.168.10.10(eth0) ---> Nifi

Due to this OpenStack Nat translation behavior, when we try to set up HTTPS mode, we cannot reach our nifi web interface.
We are facing two problems:

1)      If we set properties nifi.web.https.host to our public IP (1.2.3.4), Nifi fails to start with the following error : java.io.IOException: Failed to bind to /1.2.3.4:8443, which is somehow normal as the VM does not know its public IP (provided by OpenStack).


2)      If we set properties nifi.web.https.host to 0.0.0.0, nifi starts ok, however, when we reach the interface, we're facing the following error:

System Error
The request contained an invalid host header [1.2.3.4:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.
Valid host headers are [empty] or:

  *   127.0.0.1
  *   127.0.0.1:8443
  *   localhost
  *   localhost:8443
  *   192.168.10.10
  *   192.168.10.10:8443
  *   0.0.0.0
  *   0.0.0.0:8443
Did we misconfigured nifi?
Is there a way to work around this situation?
Thanks for your help or explanation

Regards

Emmanuel










C2 - Restricted

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#

RE: HTTPS host header restriction and VM in OpenStack

["QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)" <em...@safrangroup.com>]

Hi Dries,

Thanks for your quick reply. It sounds good for us, setting this properties looks like it solves our problem!
Thanks a lot.

Emmanuel

Prénom NOM
Intitulé de poste | Service | Département

T +33 (0)0 00 00 00 00 • M +33 (0)6 00 00 00 00

Adresse ligne 1 (option)
Adresse ligne 2 (option)
www.safran-group.com<http://www.safran-group.com/fr/>

[SAFRAN]

[ABONNEZ-VOUS]<http://www.safran-group.com/fr/subscription-account>

[Twitter]<http://twitter.com/SAFRAN>

[Facebook]<http://www.facebook.com/GroupeSafran>

[LinkedIn]<http://fr.linkedin.com/company/safran>


C2 - Restricted

De : Van Autreve Dries <dr...@vlaanderen.be>
Envoyé : mercredi 5 mai 2021 11:41
À : users@nifi.apache.org
Objet : Re: HTTPS host header restriction and VM in OpenStack

Hello Emmanuel

Might be nifi.web.proxy.host that needs to be configured?

nifi.web.proxy.host

A comma separated list of allowed HTTP Host header values to consider when NiFi is running securely and will be receiving requests to a different host[:port] than it is bound to. For example, when running in a Docker container or behind a proxy (e.g. localhost:18443, proxyhost:443). By default, this value is blank meaning NiFi should only allow requests sent to the host[:port] that NiFi is bound to.



See https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#web-properties<https://urldefense.com/v3/__https:/nifi.apache.org/docs/nifi-docs/html/administration-guide.html*web-properties__;Iw!!Dl6pPzL6!POTzwNQpnZiGA3745AfmGoTvRpQfrHZc9Jrd3YlGX7q_oBP8G6w1D2ya3ClaahJCqa1ajNeO6QsueHd9$>

--
Kind Regards
Dries Van Autreve


From: "QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)" <em...@safrangroup.com>>
Reply to: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Wednesday, 5 May 2021 at 11:31
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Subject: HTTPS host header restriction and VM in OpenStack

Hi,

We are trying to install and set Nifi on a VM in an OpenStack private cloud. The installation of Nifi on the VM is ok and running without problems when using HTTP as protocol.
However, when we try to set HTTPS, then we encounter several problems.
Let me explain how this is set (regarding network configuration) with OpenStack.
When a VM is created and started in OpenStack, a private IP address is attributed to this VM, say 192.168.10.10. OpenStack is then able to also attribute some called floating IP address to this VM, which make the VM accessible from outside the cloud (like a public IP). This IP, say 1.2.3.4, is then reachable through a web browser, as http://1.2.3.4<https://urldefense.com/v3/__https:/eur03.safelinks.protection.outlook.com/?url=http*3A*2F*2F1.2.3.4*2F&data=04*7C01*7Cdries.vanautreve*40vlaanderen.be*7C0616d6e15746484a659208d90fa82ccc*7C0c0338a695614ee8b8d64e89cbd520a0*7C0*7C0*7C637558038683727127*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=b1VX5fExFKKX5*2BvGDdlmzk*2FZD6fR92GArK2wYRcFTfw*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Dl6pPzL6!POTzwNQpnZiGA3745AfmGoTvRpQfrHZc9Jrd3YlGX7q_oBP8G6w1D2ya3ClaahJCqa1ajNeO6csXCOwV$>, thus this is how we can access our Nifi web interface using HTTP protocol.

Here is a small representation of the translation

MyComputer --- ask http://1.2.3.4<https://urldefense.com/v3/__https:/eur03.safelinks.protection.outlook.com/?url=http*3A*2F*2F1.2.3.4*2F&data=04*7C01*7Cdries.vanautreve*40vlaanderen.be*7C0616d6e15746484a659208d90fa82ccc*7C0c0338a695614ee8b8d64e89cbd520a0*7C0*7C0*7C637558038683727127*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=b1VX5fExFKKX5*2BvGDdlmzk*2FZD6fR92GArK2wYRcFTfw*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Dl6pPzL6!POTzwNQpnZiGA3745AfmGoTvRpQfrHZc9Jrd3YlGX7q_oBP8G6w1D2ya3ClaahJCqa1ajNeO6csXCOwV$> ------> OpenStack ----> NAT to VM interface ------> 192.168.10.10(eth0) ---> Nifi

Due to this OpenStack Nat translation behavior, when we try to set up HTTPS mode, we cannot reach our nifi web interface.
We are facing two problems:
1)      If we set properties nifi.web.https.host to our public IP (1.2.3.4), Nifi fails to start with the following error : java.io.IOException: Failed to bind to /1.2.3.4:8443, which is somehow normal as the VM does not know its public IP (provided by OpenStack).

2)      If we set properties nifi.web.https.host to 0.0.0.0, nifi starts ok, however, when we reach the interface, we’re facing the following error:

System Error
The request contained an invalid host header [1.2.3.4:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.
Valid host headers are [empty] or:

  *   127.0.0.1
  *   127.0.0.1:8443
  *   localhost
  *   localhost:8443
  *   192.168.10.10
  *   192.168.10.10:8443
  *   0.0.0.0
  *   0.0.0.0:8443
Did we misconfigured nifi?
Is there a way to work around this situation?
Thanks for your help or explanation

Regards

Emmanuel










C2 - Restricted

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#

Re: HTTPS host header restriction and VM in OpenStack

[Van Autreve Dries <dr...@vlaanderen.be>]

Hello Emmanuel

Might be nifi.web.proxy.host that needs to be configured?

nifi.web.proxy.host
A comma separated list of allowed HTTP Host header values to consider when NiFi is running securely and will be receiving requests to a different host[:port] than it is bound to. For example, when running in a Docker container or behind a proxy (e.g. localhost:18443, proxyhost:443). By default, this value is blank meaning NiFi should only allow requests sent to the host[:port] that NiFi is bound to.


See https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#web-properties

--
Kind Regards
Dries Van Autreve


From: "QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)" <em...@safrangroup.com>
Reply to: "users@nifi.apache.org" <us...@nifi.apache.org>
Date: Wednesday, 5 May 2021 at 11:31
To: "users@nifi.apache.org" <us...@nifi.apache.org>
Subject: HTTPS host header restriction and VM in OpenStack

Hi,

We are trying to install and set Nifi on a VM in an OpenStack private cloud. The installation of Nifi on the VM is ok and running without problems when using HTTP as protocol.
However, when we try to set HTTPS, then we encounter several problems.
Let me explain how this is set (regarding network configuration) with OpenStack.
When a VM is created and started in OpenStack, a private IP address is attributed to this VM, say 192.168.10.10. OpenStack is then able to also attribute some called floating IP address to this VM, which make the VM accessible from outside the cloud (like a public IP). This IP, say 1.2.3.4, is then reachable through a web browser, as http://1.2.3.4<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2F1.2.3.4%2F&data=04%7C01%7Cdries.vanautreve%40vlaanderen.be%7C0616d6e15746484a659208d90fa82ccc%7C0c0338a695614ee8b8d64e89cbd520a0%7C0%7C0%7C637558038683727127%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b1VX5fExFKKX5%2BvGDdlmzk%2FZD6fR92GArK2wYRcFTfw%3D&reserved=0>, thus this is how we can access our Nifi web interface using HTTP protocol.

Here is a small representation of the translation

MyComputer --- ask http://1.2.3.4<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2F1.2.3.4%2F&data=04%7C01%7Cdries.vanautreve%40vlaanderen.be%7C0616d6e15746484a659208d90fa82ccc%7C0c0338a695614ee8b8d64e89cbd520a0%7C0%7C0%7C637558038683727127%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b1VX5fExFKKX5%2BvGDdlmzk%2FZD6fR92GArK2wYRcFTfw%3D&reserved=0> ------> OpenStack ----> NAT to VM interface ------> 192.168.10.10(eth0) ---> Nifi

Due to this OpenStack Nat translation behavior, when we try to set up HTTPS mode, we cannot reach our nifi web interface.
We are facing two problems:

  1.  If we set properties nifi.web.https.host to our public IP (1.2.3.4), Nifi fails to start with the following error : java.io.IOException: Failed to bind to /1.2.3.4:8443, which is somehow normal as the VM does not know its public IP (provided by OpenStack).


  2.  If we set properties nifi.web.https.host to 0.0.0.0, nifi starts ok, however, when we reach the interface, we’re facing the following error:

System Error
The request contained an invalid host header [1.2.3.4:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.
Valid host headers are [empty] or:

  *   127.0.0.1
  *   127.0.0.1:8443
  *   localhost
  *   localhost:8443
  *   192.168.10.10
  *   192.168.10.10:8443
  *   0.0.0.0
  *   0.0.0.0:8443
Did we misconfigured nifi?
Is there a way to work around this situation?
Thanks for your help or explanation

Regards

Emmanuel





C2 - Restricted

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#