[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013738#comment-18013738
]
David Handermann commented on NIFI-14858:
-----------------------------------------
Thanks for the reply and additional background.
Regarding load balancers presenting different host names, that should be
solvable by including the appropriate DNS SAN on the NiFi certificate as
mentioned. It also requires configuring the nifi.web.proxy.host property in
most cases. With the appropriate certificate properties and load balancer
configuration, this should not be a problem.
Regarding Prometheus clients, that should also be configurable to use Pod DNS
names, although I have seen occasional questions raised about IP access.
I agree that there is some appropriate weighting of various security measures.
The project has received various requests in the past on the client side to
disable certificate verification for outbound requests, and we have taken a
stance of not providing those options to keep the surface area limited for
potential security issues. This issue is somewhat different, but falls into a
similar category of declaring support for less secure configuration options.
I can appreciate not adding documentation, but when it comes to open source
projects, security through relative obscurity is not a viable option. Based on
experience, strong recommendations are never sufficient to guard against poor
security practices.
If you have a specific example for a particular load balancer service and
deployment environment where certificates cannot be configured, that would be
helpful. However, given that the correct configuration is possible with many
load balancers and common certificate distribution strategies, there does not
seem to be a compelling reason to support disabling SNI checking.
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
