You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by 李磊 <le...@ruisdata.com> on 2018/03/19 03:37:34 UTC

whitelisting problems with host property

Hi all,

I now use the NIFI-1.5.0 and I want to build a NIFI cluster and make a haproxy + keepalived ahead.

It makes me confused that when I set the property “nifi.web.http.host” with an ip, I can visit NIFI UI both ip or hostname, but when I set the property with a hostname, I can only visit with the hostname, and response me an error when I use the ip “System Error The request contained an invalid host header [***.***.***.***:8079] in the request [/nifi/]. Check for request manipulation or third-party intercept.”.

Besides I find some description “https://issues.apache.org/jira/browse/NIFI-4761”.

Could you tell me why the difference between ip and hostname and the correct setup . Thanks!

Re: whitelisting problems with host property

Posted by Andy LoPresto <al...@apache.org>.

In 1.5.0, stricter controls were put in place to prevent a host header poisoning attack. This caused some usability issues as you have seen, so in 1.6.0 (soon to be released), we have made some changes to make this easier to control. There is a new property (nifi.web.proxy.host) in nifi.properties which accepts a comma-separated list of valid host names/IPs, so you can provide the IP address there to access the application using either hostname or IP. The reason you can only access it via hostname right now is because that is likely the value of nifi.web.http(s).host or it is determined by Java to be the local host name, so it is automatically added to the list of valid headers to compare incoming requests against.

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 18, 2018, at 8:37 PM, 李 磊 <le...@ruisdata.com> wrote:
> 
> Hi all,
> 
> I now use the NIFI-1.5.0 and I want to build a NIFI cluster and make a haproxy + keepalived ahead.
> 
> It makes me confused that when I set the property “nifi.web.http.host” with an ip, I can visit NIFI UI both ip or hostname, but when I set the property with a hostname, I can only visit with the hostname, and response me an error when I use the ip “System Error The request contained an invalid host header [***.***.***.***:8079] in the request [/nifi/]. Check for request manipulation or third-party intercept.”.
> 
> Besides I find some description “https://issues.apache.org/jira/browse/NIFI-4761 <https://issues.apache.org/jira/browse/NIFI-4761>”.
> 
> Could you tell me why the difference between ip and hostname and the correct setup . Thanks!