You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by mcgilman <gi...@git.apache.org> on 2018/01/17 20:56:51 UTC
[GitHub] nifi pull request #2410: Updating proxy documentation
GitHub user mcgilman opened a pull request:
https://github.com/apache/nifi/pull/2410
Updating proxy documentation
NIFI-4766:
- Documenting nifi.web.proxy.host property.
- Updating proxy confiugration.
NIFI-4618:
- Documenting nifi.web.proxy.context.path property.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mcgilman/nifi NIFI-4618
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/2410.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2410
----
commit 52307e6a7d09d8870fb4d6132f900966e6983bbc
Author: Matt Gilman <ma...@...>
Date: 2018-01-17T20:55:40Z
NIFI-4766:
- Documenting nifi.web.proxy.host property.
- Updating proxy confiugration.
NIFI-4618:
- Documenting nifi.web.proxy.context.path property.
----
---
[GitHub] nifi issue #2410: Updating proxy documentation
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2410
Thanks Matt. Looks good to me; +1.
---
[GitHub] nifi pull request #2410: Updating proxy documentation
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2410#discussion_r162530677
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -2645,6 +2645,15 @@ documentation of the proxy for guidance for your deployment environment and use
...
....
+* If NiFi is running securely, configuration must be updated to allow expected Host and context paths HTTP headers.
+
+** By default, NiFi will only accept HTTP requests with a Host header matching the host[:port] that it is bound to. If NiFi is to accept requests directed to a different
+host[:port] the expected values need to be configured. This may be required when running behind a proxy or in a containerized environment. This is configured in a comma
+separated list in _nifi.properties_ using the `nifi.web.proxy.host` property. (e.g. localhost:18443, proxyhost:443)
--- End diff --
I would also add a note here that IPv6 addresses can be tricky, and [RFC 5952 Sections 4](https://tools.ietf.org/html/rfc5952#section-4) and [6](https://tools.ietf.org/html/rfc5952#section-6) are recommended reading
---
[GitHub] nifi pull request #2410: Updating proxy documentation
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/nifi/pull/2410
---
[GitHub] nifi issue #2410: Updating proxy documentation
Posted by mcgilman <gi...@git.apache.org>.
Github user mcgilman commented on the issue:
https://github.com/apache/nifi/pull/2410
@alopresto Thanks for the feedback. The PR has been updated accordingly.
---
[GitHub] nifi pull request #2410: Updating proxy documentation
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2410#discussion_r162530407
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -2645,6 +2645,15 @@ documentation of the proxy for guidance for your deployment environment and use
...
....
+* If NiFi is running securely, configuration must be updated to allow expected Host and context paths HTTP headers.
+
+** By default, NiFi will only accept HTTP requests with a Host header matching the host[:port] that it is bound to. If NiFi is to accept requests directed to a different
+host[:port] the expected values need to be configured. This may be required when running behind a proxy or in a containerized environment. This is configured in a comma
+separated list in _nifi.properties_ using the `nifi.web.proxy.host` property. (e.g. localhost:18443, proxyhost:443)
+
+** By default, NiFi will accept any HTTP requests with a X-ProxyContextPath or X-Forwarded-Context header. However, NiFi can be set up to only allow specific values by configuring a
--- End diff --
I do not believe this understanding (or at least how I am reading it) is correct.
* NiFi always parses these values from the incoming request, regardless of whether it is "secure" or "plaintext".
* NiFi will *not* accept any value from this header unless it is whitelisted.
* In the event an incoming request has an `X-ProxyContextPath` or `X-Forwarded-Context` header value that is not present in the whitelist, the "An unexpected error has occurred" page will be shown, and the following will appear in `nifi-app.log`:
```
2018-01-18 19:21:19,129 ERROR [NiFi Web Server-17] org.apache.nifi.web.util.WebUtils The provided context path [/https://thisisdefinitelynotarealsite.com/malicious.js"] was not whitelisted []
2018-01-18 19:21:26,715 ERROR [NiFi Web Server-77] org.apache.nifi.web.util.WebUtils The provided context path [/https://thisisdefinitelynotarealsite.com/malicious.js"] was not whitelisted []
```
* For *any* value expected to be present in these headers (for example, a modified context path due to a proxy), the value must be defined in `nifi.web.proxy.context.path`
```
2018-01-18 19:24:18,685 ERROR [NiFi Web Server-84] org.apache.nifi.web.util.WebUtils The provided context path [/localhost:8080] was not whitelisted []
2018-01-18 19:24:28,763 ERROR [NiFi Web Server-17] org.apache.nifi.web.util.WebUtils The provided context path [/localhost:8080] was not whitelisted []
2018-01-18 19:24:52,234 ERROR [NiFi Web Server-81] org.apache.nifi.web.util.WebUtils The provided context path [/nifi] was not whitelisted []
```
---
[GitHub] nifi pull request #2410: Updating proxy documentation
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2410#discussion_r162530802
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -3083,6 +3092,12 @@ Providing three total network interfaces, including `nifi.web.https.network.int
|nifi.web.jetty.working.directory|The location of the Jetty working directory. The default value is `./work/jetty`.
|nifi.web.jetty.threads|The number of Jetty threads. The default value is `200`.
|nifi.web.max.header.size|The maximum size allowed for request and response headers. The default value is 16 KB.
+|nifi.web.proxy.host|A comma separated list of allowed HTTP Host header values to consider when NiFi is running securely and will be receiving requests to a different host[:port] than it is bound to.
+For example, when running in a Docker container or behind a proxy (e.g. localhost:18443, proxyhost:443). By default, this value is blank meaning NiFi should only allow requests sent to the
+host[:port] that NiFi is bound to.
+|nifi.web.proxy.context.path|A comma separated list of allowed HTTP X-ProxyContextPath or X-Forwarded-Context header values to consider when NiFi is running securely. By default, this value is
+blank meaning any proxy context path is allowed. Configuring this property would result in rejecting of incoming requests where the value of the X-ProxyContextPath or X-Forwarded-Context
+header is not contained in this listing.
--- End diff --
See notes above about my understanding of this behavior (verified on `master` running with a vanilla configuration).
---
[GitHub] nifi pull request #2410: Updating proxy documentation
Posted by alopresto <gi...@git.apache.org>.
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2410#discussion_r162530506
--- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
@@ -2645,6 +2645,15 @@ documentation of the proxy for guidance for your deployment environment and use
...
....
+* If NiFi is running securely, configuration must be updated to allow expected Host and context paths HTTP headers.
+
+** By default, NiFi will only accept HTTP requests with a Host header matching the host[:port] that it is bound to. If NiFi is to accept requests directed to a different
+host[:port] the expected values need to be configured. This may be required when running behind a proxy or in a containerized environment. This is configured in a comma
+separated list in _nifi.properties_ using the `nifi.web.proxy.host` property. (e.g. localhost:18443, proxyhost:443)
--- End diff --
The part about host headers is accurate -- it is only activated when running securely, and this is the correct property to set.
---