[jira] [Commented] (NIFI-13823) Inconsistency between nifi.web.proxy.host format and TLS SubjectAlternativeNames

Thu, 03 Oct 2024 10:46:15 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-13823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17886740#comment-17886740
 ] 

ASF subversion and git services commented on NIFI-13823:
--------------------------------------------------------

Commit af31d98139d646de9d00db50d8eaa09b3d58c842 in nifi's branch 
refs/heads/main from Matt Gilman
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=af31d98139 ]

NIFI-13823: Using startsWith testing content viewer compatibility to better 
support content types that might have additional parameters. (#9337)

This closes #9337 

> Inconsistency between nifi.web.proxy.host format and TLS 
> SubjectAlternativeNames
> --------------------------------------------------------------------------------
>
>                 Key: NIFI-13823
>                 URL: https://issues.apache.org/jira/browse/NIFI-13823
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Configuration, Documentation & Website
>    Affects Versions: 2.0.0-M4
>            Reporter: chris snow
>            Assignee: David Handermann
>            Priority: Minor
>
> I'm confused with the admin docs for proxy configuration for 2.0.0-M4.  The 
> admin docs state:
> {color:#505f79}_By default, if NiFi is running securely it will only accept 
> HTTP requests with a Host header matching the host[:port] that it is bound 
> to. If NiFi is to accept requests directed to a different host[:port] the 
> expected values need to be configured. This may be required when running 
> behind a proxy or in a containerized environment. This is configured in a 
> comma separated list in nifi.properties using the nifi.web.proxy.host 
> property (e.g. localhost:18443, proxyhost:443). IPv6 addresses are accepted. 
> Please refer to RFC 5952 Sections 4 and 6 for additional details._{color}
> However, the NiFi generated certficate seems to have the 
> subjectAlternativeNames populated with the value of `nifi.web.proxy.host`
>  
> {code:java}
> // 
> nifi-bootstrap/src/main/java/org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.java
>     private Collection<String> getSubjectAlternativeNames(final Properties 
> applicationProperties) {
>         ...
>             final String proxyHost = 
> applicationProperties.getProperty(SecurityProperty.WEB_PROXY_HOST.getName());
>             if (!isBlank(proxyHost)) {
>                 subjectAlternativeNames.add(proxyHost);
>             }
>         ...
>     }
> {code}
>  
> From what I can tell from RFC5280, host:port is not a valid 
> subjectAlternativeName.  When I have tried different values for 
> nifi.web.proxy.host only host or ipaddress worked,  host:port and 
> ipaddress:port did not work for me.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to