[
https://issues.apache.org/jira/browse/NIFI-15013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Turcsanyi resolved NIFI-15013.
------------------------------------
Resolution: Won't Do
> Embedded UI pages may fail to open when NiFi runs behind a reverse proxy
> ------------------------------------------------------------------------
>
> Key: NIFI-15013
> URL: https://issues.apache.org/jira/browse/NIFI-15013
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Peter Turcsanyi
> Priority: Major
>
> When a reverse proxy sits between the browser and the NiFi backend, it may
> change the incoming requests and add some extra technical parameters. E.g.
> Apache Knox adds "doAs=username" which is used for passing the authenticated
> user to the backend services.
> NiFi does not use the "doAs" parameter effectively because it relies on the
> X-ProxiedEntitiesChain header instead (also set by the proxy). In most cases,
> "doAs" does not cause any issues in NiFi and it just omits the extra
> parameter but the embedded UI pages (like the Advanced property pages and the
> Content Viewer) cannot handle it properly.
> Switching from the core UI to an embedded UI page involves two steps:
> # The client sends an HTTP request with query parameters indicating the
> component id, etc. The backend converts the query string to an URL fragment
> and sends back a redirection with this modified URL.
> # The client uses the fragment internally and sends a second request
> (according to the redirection), this time without parameters. The backend
> responses with the HTML content of the page.
> Both requests go through
> [QueryStringToFragmentFilter|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-web-servlet-shared/src/main/java/org/apache/nifi/web/servlet/filter/QueryStringToFragmentFilter.java]
> which decides if it is the first or the second step and sends the
> redirection with the fragment in case of step #1. The decision is simply made
> based on the presence of a query string and this leads to the issue with Knox
> (and potentially with other proxies too) because "doAs" is always present and
> it triggers redirection infinitely.
> A trivial solution would be to filter for "doAs" in
> QueryStringToFragmentFilter and do not redirect if this is the only parameter
> but it would be Knox specific and definitely not ideal.
> Another option would be to add an extra parameter by the NiFi client that
> explicitly distinguishes whether the request is the first step or the second.
> So QueryStringToFragmentFilter could use it when making the decision to
> redirect or not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
