You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Vipin Rathor (JIRA)" <ji...@apache.org> on 2018/09/06 00:19:00 UTC

[jira] [Commented] (KNOX-1434) Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS

    [ https://issues.apache.org/jira/browse/KNOX-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605083#comment-16605083 ] 

Vipin Rathor commented on KNOX-1434:
------------------------------------

FYI, this issue happens only when Knox is using a CA-signed certificate (not the default self-signed) and the said CA is added as a trusted CA for the browsers (applicable to both Firefox / Chrome).

> Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS
> -------------------------------------------------------------------------------------
>
>                 Key: KNOX-1434
>                 URL: https://issues.apache.org/jira/browse/KNOX-1434
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: AdminUI
>    Affects Versions: 1.0.0
>         Environment: HDP 3.0
> Knox 1.0.0
>            Reporter: Vipin Rathor
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> *Problem Description:*
> Visiting Knox Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict Transport Security (HSTS) header for the host where Knox is running. Any subsequent request to other service on the same host (e.g. Graphana, Ranger etc.) over HTTP would get redirected to HTTPS due to this header.
> Please note that, this HSTS header is disabled in all Knox topologies by default.
> Ref: [https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security]
>  
> *Impact:*
> All the non-SSL requests to other services get redirected automatically to HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some other error.
>  
> *Expected Behavior:*
> Unless HSTS is specifically enabled for Knox Admin UI, it should not set HSTS header.
>  
> *Steps to reproduce:*
>  # Configure Knox with default topology as one normally would.
>  # Once Knox is up, visit Knox Admin UI
>  # Now, in the same browser session, visit any non-SSL service running on the same Knox host (like Ranger UI on 6080).
>  # Browser will redirect this HTTP request to HTTPS.
>  # If one can carefully clear the HSTS header in browser, then redirection will stop until the next time one visits Knox Admin UI again.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)