You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "mayrom rabinovich (Jira)" <ji...@apache.org> on 2020/07/18 18:19:00 UTC

[jira] [Updated] (NIFI-7659) NIFI dishonoring H-Proxy headers

     [ https://issues.apache.org/jira/browse/NIFI-7659?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

mayrom rabinovich updated NIFI-7659:
------------------------------------
    Environment: tested on fedora linux and windows, setup is nifi with default out of the box config  (was: tested on fedora linux and windows, setup is nifi with default config)

> NIFI dishonoring H-Proxy headers
> --------------------------------
>
>                 Key: NIFI-7659
>                 URL: https://issues.apache.org/jira/browse/NIFI-7659
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 1.11.3
>         Environment: tested on fedora linux and windows, setup is nifi with default out of the box config
>            Reporter: mayrom rabinovich
>            Priority: Minor
>
> I found out that if you request the page /nifi (without a slash at the end) NIFI redirects without checking the H-Proxy headers.
>  
> here is an example:
> {code:java}
> $ curl -v http://localhost:8080/nifi -H "X-ProxyScheme: https" -H "X-ProxyHost: my.test.com" -H "X-ProxyPort: 9999"
> * Trying 127.0.0.1:8080...
> * TCP_NODELAY set
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> > GET /nifi HTTP/1.1
> > Host: localhost:8080
> > User-Agent: curl/7.68.0
> > Accept: */*
> > X-ProxyScheme: https
> > X-ProxyHost: my.test.com
> > X-ProxyPort: 9999
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 302 Found
> < Date: Sat, 18 Jul 2020 14:40:08 GMT
> < Location: http://localhost:8080/nifi/
> < Content-Length: 0
> < Server: Jetty(9.4.26.v20200117)
> {code}
>  
> as you can see I sent a request to [http://localhost:8080/nifi] with the proxy headers to fake a request coming form a proxy, but the server ignored the headers and sent that the location of the recourse is [http://localhost:8080/nifi/] (instead of [https://my.test.com:9999/nifi/)|https://my.test.com:9999)/] as specified by the X-Proxy headers.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)