[jira] [Commented] (NIFI-14858) Make SNI checking configurable

Thu, 14 Aug 2025 10:07:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013962#comment-18013962
 ] 

David Handermann commented on NIFI-14858:
-----------------------------------------

Thanks for clarifying that previous approaches required patching the 
HostHeaderHandler, that is understandable, thus leading to the current proposal 
for removing SNI checking.

With that background, the HostHeaderHandler and the enforced 
nifi.web.proxy.host property provide a long-standing security measure that 
enforces aligning of the Host header with the NiFi certificate configuration. 
What is really contemplated then is removal of enforcing this requirement for 
proxy-based access.

There is a natural tension between security and less-than-production deployment 
strategies. In the case of HTTPS, partial security is more dangerous because it 
makes the security guarantees unclear.

In light of the long-standing enforcement of this configuration property, I 
don't think introducing this property has sufficient warrant, just for certain 
development infrastructure scenarios. Having a Layer 4 proxy is a specific 
infrastructure decision, and there are other options such as a Layer 7 proxy, 
or an intermediate Kubernetes Ingress that could handle the Host header 
translation.

> Make SNI checking configurable
> ------------------------------
>
>                 Key: NIFI-14858
>                 URL: https://issues.apache.org/jira/browse/NIFI-14858
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 2.5.0
>            Reporter: Lars Francke
>            Assignee: Lars Francke
>            Priority: Minor
>         Attachments: image-2025-08-14-15-50-33-711.png, 
> image-2025-08-14-15-57-45-590.png
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load 
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>  
> I propose introducing two new configuration properties:
>  * nifi.web.https.sni.required (whether a SNI certificate is required)
>  * nifi.web.https.sni.host.check (whether to check the Host from the SNI 
> certificate against the incoming request)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to