You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2016/10/29 03:02:58 UTC
[jira] [Commented] (NIFI-2437) Enforce HSTS to require HTTPS
connections if available
[ https://issues.apache.org/jira/browse/NIFI-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15617285#comment-15617285 ]
Andy LoPresto commented on NIFI-2437:
-------------------------------------
I was able to add HSTS by default (if HTTPS is configured) pretty easily by using a [custom {{SecureRequestCustomizer}}|https://github.com/eclipse/jetty.project/commit/19d6e36ab961b9b8db97c66ebde973f36e37f959] in {{JettyServer.java}}. An issue I encountered is that HSTS will not perform the expected redirect of {{http://host:port/nifi}} to {{https://host:port/nifi}} if client certificate authorization is the only configured authentication mechanism. I believe this is because the browser does not attempt to negotiate a TLS handshake for an {{http}} address, therefore the client certificate is not provided, and NiFi is not listening for an HTTP connection. In Firefox, for example, {{http://localhost:9443/nifi}} (when {{https://localhost:9443/nifi}} has already been visited successfully and provided the HSTS header in the response) attempts to connect to {{http://www.localhost.com}}, and Chrome simply returns {{net::ERR_EMPTY_RESPONSE}}.
However, HSTS does have the desired effect when running on a valid FQDN (i.e. hosted on an addressed server or using a modified {{/etc/hosts}} file). After modifying my hosts file to alias {{nifi.nifi.apache.org}} to {{127.0.0.1}} and {{localhost}}, Chrome was able to resolve {{http://nifi.nifi.apache.org:9443/nifi/}} to {{https://nifi.nifi.apache.org:9443/nifi/}} by handling the {{307 Internal Redirect}} response code from the server, but Firefox and Safari continued to fail (no response received).
[Further research|http://serverfault.com/a/575126/109744] indicates Jetty may require [custom configuration|https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Redirecting_http_requests_to_https] to manually respond to any HTTP connection with a {{403}} response code and automatically redirect any {{403}} to the same page over HTTPS. The documentation only describes doing this through {{web.xml}}, so I will continue to investigate if this can be done through programmatic configuration.
> Enforce HSTS to require HTTPS connections if available
> ------------------------------------------------------
>
> Key: NIFI-2437
> URL: https://issues.apache.org/jira/browse/NIFI-2437
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Labels: security
>
> HTTP Strict Transport Security (HSTS) [1] [2] is a feature of HTTP which instructs browsers/clients to only communicate with a resource over HTTPS. It is implemented via a header sent in the response and future connections will require HTTPS.
> [1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> [2] https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)