You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ex...@apache.org on 2021/02/10 20:47:13 UTC

[nifi] branch main updated: NIFI-8221 - Set the default HTTP listening interface to 127.0.0.1.

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 8057f8f  NIFI-8221 - Set the default HTTP listening interface to 127.0.0.1.
8057f8f is described below

commit 8057f8f6c50928fbba1992743d0b2dfee49503c2
Author: Nathan Gough <th...@gmail.com>
AuthorDate: Wed Feb 10 14:44:25 2021 -0500

    NIFI-8221 - Set the default HTTP listening interface to 127.0.0.1.
    
    This closes #4817
    
    Signed-off-by: David Handermann <ex...@apache.org>
---
 nifi-docs/src/main/asciidoc/administration-guide.adoc            | 4 +++-
 .../nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml  | 2 +-
 .../nifi-resources/src/main/resources/conf/nifi.properties       | 9 +++++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc
index c7cc104..5751c57 100644
--- a/nifi-docs/src/main/asciidoc/administration-guide.adoc
+++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc
@@ -72,6 +72,8 @@ When NiFi first starts up, the following files and directories are created:
 * `logs` directory
 * Within the `conf` directory, the _flow.xml.gz_ file is created
 
+NOTE: For security purposes, when no security configuration is provided NiFi will now bind to 127.0.0.1 by default and the UI will only be accessible through this loopback interface. HTTPS properties should be configured to access NiFi from other interfaces. See the <<security_configuration,Security Configuration>> for guidance on how to do this.
+
 See the <<system_properties>> section of this guide for more information about configuring NiFi repositories and configuration files.
 
 == Port Configuration
@@ -3385,7 +3387,7 @@ These properties pertain to the web-based User Interface.
 
 |====
 |*Property*|*Description*
-|`nifi.web.http.host`|The HTTP host. It is blank by default.
+|`nifi.web.http.host`|The HTTP host. The default value is `127.0.0.1`.
 |`nifi.web.http.port`|The HTTP port. The default value is `8080`.
 |`nifi.web.http.port.forwarding`|The port which forwards incoming HTTP requests to `nifi.web.http.host`. This property is designed to be used with 'port forwarding', when NiFi has to be started by a non-root user for better security, yet it needs to be accessed via low port to go through a firewall. For example, to expose NiFi via HTTP protocol on port 80, but actually listening on port 8080, you need to configure OS level port forwarding such as `iptables` (Linux/Unix) or `pfctl` (macOS [...]
 |`nifi.web.http.network.interface`*|The name of the network interface to which NiFi should bind for HTTP requests. It is blank by default. +
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
index 6b6faec..e3cb24f 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/pom.xml
@@ -126,7 +126,7 @@
         <nifi.components.status.snapshot.frequency>1 min</nifi.components.status.snapshot.frequency>
 
         <!-- nifi.properties: web properties -->
-        <nifi.web.http.host />
+        <nifi.web.http.host>127.0.0.1</nifi.web.http.host>
         <nifi.web.http.port>8080</nifi.web.http.port>
         <nifi.web.http.network.interface.default />
         <nifi.web.https.host />
diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
index a84bff9..edf0d74 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-resources/src/main/resources/conf/nifi.properties
@@ -134,9 +134,18 @@ nifi.remote.input.http.transaction.ttl=30 sec
 nifi.remote.contents.cache.expiration=30 secs
 
 # web properties #
+#############################################
+
+# For security, NiFi will present the UI on 127.0.0.1 and only be accessible through this loopback interface.
+# Be aware that changing these properties may affect how your instance can be accessed without any restriction.
+# We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this.
+
 nifi.web.http.host=${nifi.web.http.host}
 nifi.web.http.port=${nifi.web.http.port}
 nifi.web.http.network.interface.default=${nifi.web.http.network.interface.default}
+
+#############################################
+
 nifi.web.https.host=${nifi.web.https.host}
 nifi.web.https.port=${nifi.web.https.port}
 nifi.web.https.network.interface.default=${nifi.web.https.network.interface.default}