[jira] [Commented] (NIFI-14858) Make SNI checking configurable

Thu, 14 Aug 2025 07:53:12 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013930#comment-18013930
 ] 

Lars Francke commented on NIFI-14858:
-------------------------------------

So far we've had a different patch that allowed us to configure the 
HostHeaderHandler which you removed in 
https://issues.apache.org/jira/browse/NIFI-14209. Now, during restructuring and 
upgrading to 2.4.0 we decided its worthwhile submitting our patch upstream 
(that was my PR).

In other words: We were already running against this in previous versions and 
patching it away for our users. We'll continue doing so and I believe others 
would benefit from it as well.
{quote}The random DNS name is understandable as a default value for the load 
balancer, but in most cases, I would expect a stable DNS alias to be created, 
pointing the random address. Knowing that stable DNS alias would allow for the 
NiFi cluster to be configured with the required proxy host property, and 
appropriate certificate DNS SANs.
{quote}
Yes. Some LBs have stable domain names but especially during development we see 
people bringing up NiFi with "dynamic" LBs. That, to me, is a valid scenario.
{quote}Either way, NiFi needs to know the publicly reachable address. 
{quote}
We've been running for a long time without this (with our patch) and it's 
working fine.

> Make SNI checking configurable
> ------------------------------
>
>                 Key: NIFI-14858
>                 URL: https://issues.apache.org/jira/browse/NIFI-14858
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 2.5.0
>            Reporter: Lars Francke
>            Assignee: Lars Francke
>            Priority: Minor
>         Attachments: image-2025-08-14-15-50-33-711.png, 
> image-2025-08-14-15-57-45-590.png
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load 
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>  
> I propose introducing two new configuration properties:
>  * nifi.web.https.sni.required (whether a SNI certificate is required)
>  * nifi.web.https.sni.host.check (whether to check the Host from the SNI 
> certificate against the incoming request)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to