[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013730#comment-18013730
]
Lars Francke commented on NIFI-14858:
-------------------------------------
See also https://issues.apache.org/jira/browse/KAFKA-19556 for reference.
Two use-cases where we encountered issues and needed to disable this:
* Load balancers which present different host names to the underlying host
(NiFi in this case)
* Prometheus (and potentially other tools) which use Pod IPs to connect to
Pods in Kubernetes and the certificates don't necessarily cover the (changing)
IPs
I obviously disagree with your decision to close the PR (otherwise I wouldn't
have opened it :)). Yes, SNI is a security feature, but it's not the only one
and we need to find a balance between operational "usefulness" and security,
that balance is subjective. I understand that.
My proposal would be to keep these settings turned on by default which means
regulatory requirements like the EU Cyber Resilience Act and others which
require "Secure by default" would still be fulfilled, as would the company
policies I'm aware of.
I'm open for additional changes if that helps. I intentionally didn't add
documentation around this to keep it "hidden" but if you prefer I could also
add a documentation snippet on this and the strong recommendation to keep the
check enabled.
In addition I know that this was also already raised by others on the NiFi
Slack and there's at least one blog post about this arleady. I suspect we won't
be the last to propose a similar change.
What can I do to convince you?
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
