From 255dcdffbc8fe812c60ac0ea12e0d59c6e694c8a Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Wed, 13 Aug 2025 23:19:39 +0200 Subject: [PATCH 01/10] Document workaround to disable SNI checks --- Cargo.lock | 4 +- Cargo.nix | 4 +- .../nifi/pages/troubleshooting/index.adoc | 40 +++++++++++++++++-- 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ea63e503..4ba23a92 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2519,9 +2519,9 @@ dependencies = [ [[package]] name = "slab" -version = "0.4.10" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d" +checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" [[package]] name = "smallvec" diff --git a/Cargo.nix b/Cargo.nix index 67ccdf4b..fdd8764f 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -8191,9 +8191,9 @@ rec { }; "slab" = rec { crateName = "slab"; - version = "0.4.10"; + version = "0.4.11"; edition = "2018"; - sha256 = "03f5a9gdp33mngya4qwq2555138pj74pl015scv57wsic5rikp04"; + sha256 = "12bm4s88rblq02jjbi1dw31984w61y2ldn13ifk5gsqgy97f8aks"; authors = [ "Carl Lerche " ]; diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index a0c8118a..25a707a7 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -22,9 +22,16 @@ spec: == `HTTP ERROR 400 Invalid SNI` -You are very likely accessing a NiFi >= 2.0 stacklet using HTTPS to secure its WebUI and an Ingress in front of it. -The URL requested by the ingress-controller (such as nginx) needs to be the FQDN of the nifi service, not only the service name. -You can instruct nginx ingress to use the FQDN by setting the following annotation: +This error occurs when accessing NiFi 2.0 or later, which enforces https://en.wikipedia.org/wiki/Server_Name_Indication[SNI (Server Name Indication)] validation for HTTPS connections. +The hostname in the request must match one of the hostnames in NiFi's TLS certificate. + +NOTE: For complete technical background, see the https://issues.apache.org/jira/browse/NIFI-14858[upstream issue NIFI-14858]. + +=== When using Ingress + +If you're accessing NiFi through an Ingress controller, the ingress must forward requests using the FQDN of the NiFi service, not just the service name. + +For nginx ingress, configure the `upstream-vhost` annotation to use the service FQDN: [source,yaml] ---- @@ -53,7 +60,32 @@ spec: # ... ---- -For details please read on https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article]. +For additional details, see https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article]. + +=== When using Load Balancers or other proxies + +When Load Balancers, API Gateways, or other proxy tools sit in front of NiFi, they may forward requests with hostnames that don't match NiFi's TLS certificates. +This commonly occurs because: + +* The proxy uses a different hostname than what's in NiFi's certificate +* NiFi is unaware of the external hostnames used to reach the proxy +* Certificate management in Kubernetes makes it complex to include all possible hostnames + +==== Workaround: Disable SNI validation + +Since this scenario is common and difficult to resolve through certificate management, you can disable SNI validation in NiFi: + +[source,yaml] +---- +nodes: + configOverrides: + nifi.properties: + nifi.web.https.sni.required: "false" + nifi.web.https.sni.host.check: "false" +---- + +WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. +Only use this workaround when proper certificate configuration is not feasible. == `authorization_request_not_found` when using multiple NiFi nodes From d6329d7fb11d644225f65a6f25a6aea91594cb08 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Thu, 14 Aug 2025 12:15:52 +0200 Subject: [PATCH 02/10] Include documentation about what each property does --- docs/modules/nifi/pages/troubleshooting/index.adoc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 25a707a7..8ccd1a88 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -84,8 +84,12 @@ nodes: nifi.web.https.sni.host.check: "false" ---- -WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. -Only use this workaround when proper certificate configuration is not feasible. +These properties control NiFi's SNI validation behavior: + +* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include an SNI certificate. Setting to `false` allows connections without SNI certificates. +* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI certificate's hostname matches the incoming request's hostname. Setting to `false` disables this hostname matching check. + +WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible. == `authorization_request_not_found` when using multiple NiFi nodes From 0a3c6adca597b139727d8294e42ac298b907a35f Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 18 Aug 2025 16:06:24 +0200 Subject: [PATCH 03/10] Update docs/modules/nifi/pages/troubleshooting/index.adoc Co-authored-by: Xenia --- docs/modules/nifi/pages/troubleshooting/index.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 8ccd1a88..5828abba 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -22,10 +22,10 @@ spec: == `HTTP ERROR 400 Invalid SNI` -This error occurs when accessing NiFi 2.0 or later, which enforces https://en.wikipedia.org/wiki/Server_Name_Indication[SNI (Server Name Indication)] validation for HTTPS connections. +This error occurs when accessing NiFi 2.0 or later, which enforces https://en.wikipedia.org/wiki/Server_Name_Indication[SNI (Server Name Indication){external-link-icon}^] validation for HTTPS connections. The hostname in the request must match one of the hostnames in NiFi's TLS certificate. -NOTE: For complete technical background, see the https://issues.apache.org/jira/browse/NIFI-14858[upstream issue NIFI-14858]. +NOTE: For complete technical background, see the https://issues.apache.org/jira/browse/NIFI-14858[upstream issue NIFI-14858{external-link-icon}^]. === When using Ingress From 1a2d1803008cfa20e620d8c881f48198d9d1f022 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 18 Aug 2025 16:06:35 +0200 Subject: [PATCH 04/10] Update docs/modules/nifi/pages/troubleshooting/index.adoc Co-authored-by: Xenia --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 5828abba..779706e0 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -60,7 +60,7 @@ spec: # ... ---- -For additional details, see https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article]. +For additional details, see https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article{external-link-icon}^]. === When using Load Balancers or other proxies From 2328c70c02099007fd710f89cce4373b79ef4cd3 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Fri, 12 Sep 2025 16:05:53 +0200 Subject: [PATCH 05/10] Apply suggestion from @NickLarsenNZ Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 779706e0..64e21763 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -29,7 +29,7 @@ NOTE: For complete technical background, see the https://issues.apache.org/jira/ === When using Ingress -If you're accessing NiFi through an Ingress controller, the ingress must forward requests using the FQDN of the NiFi service, not just the service name. +If you're accessing NiFi through a Load Balancer or Reverse Proxy, it must forward requests using the FQDN of the NiFi service, not just the service name. For nginx ingress, configure the `upstream-vhost` annotation to use the service FQDN: From 050a107606fe412c7e80ac6db5d99a18757b1773 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Fri, 12 Sep 2025 16:09:03 +0200 Subject: [PATCH 06/10] Apply suggestion from @NickLarsenNZ Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 64e21763..d08c24fd 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -86,7 +86,7 @@ nodes: These properties control NiFi's SNI validation behavior: -* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include an SNI certificate. Setting to `false` allows connections without SNI certificates. +* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include the SNI extension (containing the `server_name`). Setting to `false` allows connections without SNI certificates. * `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI certificate's hostname matches the incoming request's hostname. Setting to `false` disables this hostname matching check. WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible. From 8d42ba4cfe34652226cf38199e3acf74ba67ce9f Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Mon, 22 Sep 2025 14:37:13 +0200 Subject: [PATCH 07/10] Apply suggestion from @NickLarsenNZ Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index d08c24fd..67e82517 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -64,7 +64,7 @@ For additional details, see https://medium.com/@chnzhoujun/how-to-resolve-sni-is === When using Load Balancers or other proxies -When Load Balancers, API Gateways, or other proxy tools sit in front of NiFi, they may forward requests with hostnames that don't match NiFi's TLS certificates. +When Load Balancers, API Gateways, or other proxy services sit in front of NiFi, they might forward requests with hostnames that don't match NiFi's TLS certificates. This commonly occurs because: * The proxy uses a different hostname than what's in NiFi's certificate From 225758d6f2e16882937ea5b61173ab14abc1d451 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Mon, 22 Sep 2025 14:52:08 +0200 Subject: [PATCH 08/10] Apply suggestion from @NickLarsenNZ Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 67e82517..543d9619 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -87,7 +87,7 @@ nodes: These properties control NiFi's SNI validation behavior: * `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include the SNI extension (containing the `server_name`). Setting to `false` allows connections without SNI certificates. -* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI certificate's hostname matches the incoming request's hostname. Setting to `false` disables this hostname matching check. +* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI `server_name` is a valid Subject in the Certificate. Setting to `false` disables this hostname matching check. WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible. From 472d14edf0b994cba10184e91219503d5ee45818 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Thu, 2 Oct 2025 16:16:44 +0200 Subject: [PATCH 09/10] Clarify IP restrictions --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 543d9619..5519e686 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -86,7 +86,7 @@ nodes: These properties control NiFi's SNI validation behavior: -* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include the SNI extension (containing the `server_name`). Setting to `false` allows connections without SNI certificates. +* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include the SNI extension (containing the `server_name`). Setting to `false` allows connections without SNI. Be aware: SNI is _not_ used for IP based connections, so if this is set to `true` any connections using IPs only will not work. * `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI `server_name` is a valid Subject in the Certificate. Setting to `false` disables this hostname matching check. WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible. From 9d6f4031d6b8ef3392ed7622bdf44c51cbf27762 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Mon, 6 Oct 2025 13:28:18 +0200 Subject: [PATCH 10/10] Clarify SNI host header stuff --- docs/modules/nifi/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc index 5519e686..9fcb7151 100644 --- a/docs/modules/nifi/pages/troubleshooting/index.adoc +++ b/docs/modules/nifi/pages/troubleshooting/index.adoc @@ -87,7 +87,7 @@ nodes: These properties control NiFi's SNI validation behavior: * `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include the SNI extension (containing the `server_name`). Setting to `false` allows connections without SNI. Be aware: SNI is _not_ used for IP based connections, so if this is set to `true` any connections using IPs only will not work. -* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI `server_name` is a valid Subject in the Certificate. Setting to `false` disables this hostname matching check. +* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the value of the `Host` header is a valid Subject in the Certificate. Setting to `false` disables this hostname matching check. WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible.