[jira] [Commented] (NIFI-14858) Make SNI checking configurable

Thu, 14 Aug 2025 07:29:04 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013927#comment-18013927
 ] 

David Handermann commented on NIFI-14858:
-----------------------------------------

Thanks for providing the diagram and describing the specific scenario with the 
Layer 4 balancer, that helps clarify the issue more concretely.

The mismatch between the public Host header and the internal NiFi is clear.

In that scenario, however, NiFi already requires the nifi.web.proxy.host 
property to indicate the public address. This was previously enforced through a 
custom HTTP Host header handler, but is now effectively enforced through SNI 
checking. How is that property being set currently?

The random DNS name is understandable as a default value for the load balancer, 
but in most cases, I would expect a stable DNS alias to be created, pointing 
the random address. Knowing that stable DNS alias would allow for the NiFi 
cluster to be configured with the required proxy host property, and appropriate 
certificate DNS SANs.

Either way, NiFi needs to know the publicly reachable address. If NiFi were to 
support disabling SNI checking, it would be necessary to reintroduce the custom 
HTTP Host header handler to verify the nifi.proxy.web.host property. That would 
still require knowledge of the publicly reachable load balancer address.

> Make SNI checking configurable
> ------------------------------
>
>                 Key: NIFI-14858
>                 URL: https://issues.apache.org/jira/browse/NIFI-14858
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 2.5.0
>            Reporter: Lars Francke
>            Assignee: Lars Francke
>            Priority: Minor
>         Attachments: image-2025-08-14-15-50-33-711.png, 
> image-2025-08-14-15-57-45-590.png
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load 
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>  
> I propose introducing two new configuration properties:
>  * nifi.web.https.sni.required (whether a SNI certificate is required)
>  * nifi.web.https.sni.host.check (whether to check the Host from the SNI 
> certificate against the incoming request)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to