You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Kevin Doran (JIRA)" <ji...@apache.org> on 2018/10/24 21:44:00 UTC
[jira] [Created] (NIFI-5748) Improve handling of X-Forwarded-*
headers in URI Rewriting
Kevin Doran created NIFI-5748:
---------------------------------
Summary: Improve handling of X-Forwarded-* headers in URI Rewriting
Key: NIFI-5748
URL: https://issues.apache.org/jira/browse/NIFI-5748
Project: Apache NiFi
Issue Type: Improvement
Reporter: Kevin Doran
This ticket is to improve the handling of headers used by popular proxies when rewriting URIs in NiFI. Currently, NiFi checks the following headers when determining how to re-write URLs it returns clients:
From [ApplicationResource|https://github.com/apache/nifi/blob/2201f7746fd16874aefbd12d546565f5d105ab04/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ApplicationResource.java#L110]:
{code:java}
public static final String PROXY_SCHEME_HTTP_HEADER = "X-ProxyScheme";
public static final String PROXY_HOST_HTTP_HEADER = "X-ProxyHost";
public static final String PROXY_PORT_HTTP_HEADER = "X-ProxyPort";
public static final String PROXY_CONTEXT_PATH_HTTP_HEADER = "X-ProxyContextPath";
public static final String FORWARDED_PROTO_HTTP_HEADER = "X-Forwarded-Proto";
public static final String FORWARDED_HOST_HTTP_HEADER = "X-Forwarded-Server";
public static final String FORWARDED_PORT_HTTP_HEADER = "X-Forwarded-Port";
public static final String FORWARDED_CONTEXT_HTTP_HEADER = "X-Forwarded-Context";
// ...
final String scheme = getFirstHeaderValue(PROXY_SCHEME_HTTP_HEADER, FORWARDED_PROTO_HTTP_HEADER);
final String host = getFirstHeaderValue(PROXY_HOST_HTTP_HEADER, FORWARDED_HOST_HTTP_HEADER);
final String port = getFirstHeaderValue(PROXY_PORT_HTTP_HEADER, FORWARDED_PORT_HTTP_HEADER);
{code}
Based on this, it looks like if both {{X-Forwarded-Server}} and {{X-Forwarded-Host}} are set, that {{-Host}} will contain the hostname the user/client requested, and {{-Server}} will contain the hostname of the proxy server (ie, what the proxy server is able to determine from inspecting the hostname of the instance it is on). See this for more details:
https://stackoverflow.com/questions/43689625/x-forwarded-host-vs-x-forwarded-server
Here is a demo based on docker containers and a reverse-proxy called Traefik that shows where the current NiFi logic can break:
https://gist.github.com/kevdoran/2892004ccbfbb856115c8a756d9d4538
To use this gist, you can run the following:
{noformat}
wget -qO- https://gist.githubusercontent.com/kevdoran/2892004ccbfbb856115c8a756d9d4538/raw/fb72151900d4d8fdcf4919fe5c8a94805fbb8401/docker-compose.yml | docker-compose -f - up
{noformat}
Once the environment is up. Go to http://nifi.docker.localhost/nifi in Chrome and try adding/configuring/moving a processor. This will reproduce the issue.
For this task, the following improvement is recommended:
Change the Header (string literal) for FORWARDED_HOST_HTTP_HEADER from "X-Forwarded-Server" to "X-Forwarded-Host"
Additionally, some proxies use a different header for the context path prefix. Traefik uses {{X-Forwarded-Prefix}}. There does not appear to be a universal standard. In the future, we could make this header configurable, but for now, perhaps we should add {{X-Forwarded-Prefix}} to the headers checked by NiFi so that Traefik is supported out-of-the-box.
*Important:* After making this change, verify that proxying NiFi via Knox still works, i.e., Knox should be sending the X-Forwarded-Host header that matches what the user requested in the browser.
This change applies to NiFi Registry as well.
/cc [~jtstorck]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)