You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2018/05/03 16:27:00 UTC

[jira] [Commented] (NIFI-5146) Ability to configure HTTP and HTTPS simultaneously causes HostHeader issues

    [ https://issues.apache.org/jira/browse/NIFI-5146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16462722#comment-16462722 ] 

Andy LoPresto commented on NIFI-5146:
-------------------------------------

I agree with Aldrin that simultaneous support of HTTP and HTTPS interfaces does not make sense. This was a legacy design decision for an edge case which is no longer supported. All current documentation indicates one or the other should be selected. 

I will implement a check during Jetty startup which ensures that only one mode is configured and prevents startup with both configured. 

> Ability to configure HTTP and HTTPS simultaneously causes HostHeader issues
> ---------------------------------------------------------------------------
>
>                 Key: NIFI-5146
>                 URL: https://issues.apache.org/jira/browse/NIFI-5146
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Aldrin Piri
>            Assignee: Andy LoPresto
>            Priority: Major
>
> The host header whitelisting evaluation is only done when NiFi is configured in secure mode, determined by the setting of an HTTPS port.  (see https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java#L161 and [https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L190).]
> However, in the case where both are enabled, the HTTP port is not enumerated in possible combinations and explicit inclusions of a given socket that would be HTTP is stripped via [https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java#L143.]
> It is possible that concurrently running HTTP and HTTPS no longer makes sense, in which case we could evaluate the relevant properties and prevent startup for an unintended configuration.  Alternatively, we would need to adjust the custom hostname interpretation to also include consideration for the HTTP port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)