[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013729#comment-18013729
]
David Handermann commented on NIFI-14858:
-----------------------------------------
Thanks for including the comment from the pull request [~larsfrancke].
Can you provide some additional details about the issues related to load
balancers in front of NiFi that motivated this proposed changes?
Running NiFi with a load balancer is very common, with TLS enabled, so it is
not clear from the initial issue description what would necessitate disabling
SNI checking. Certificates for NiFi should contain Subject Alternative Names
required for successful TLS negotiation.
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
