Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIFI-14209 Restructure Host Header Validation #9680

Merged
merged 1 commit into from
Feb 5, 2025
Merged

NIFI-14209 Restructure Host Header Validation #9680

merged 1 commit into from
Feb 5, 2025

Conversation

exceptionfactory
Copy link
Contributor

Summary

NIFI-14209 Restructures application HTTP Host header validation, removing the HostHeaderHandler and adding the HostPortValidatorCustomizer in the framework Jetty Server.

The default behavior of the SecureRequestCustomizer in Jetty 12 requires TLS Server Name Indication checking, which enforces that the requested Host header or authority must match one of the DNS Subject Alternative Names on the server certificate. When the HTTP request does not include a valid matching DNS name in the Host header, the SecureRequestCustomizer returns an HTTP 400 Bad Request with Invalid SNI as the reason. The check disallows the use of IP addresses and enforces DNS names matching the configured server certificate, which obviates much of the validation logic previously implemented in the HostHeaderHandler.

The TLS SNI check does not validate the requested port, which is an optional part of the Host header. Changes in this pull request introduce the HostPortValidatorCustomizer with a configurable property for valid ports based on the existing nifi.web.proxy.host property. The new class checks the requested port for secure HTTPS requests and returns an HTTP 421 Misdirected Request status for invalid port numbers.

New test methods for the Jetty StandardServerProvider confirm the expected behavior of both TLS SNI checking and host port validation with requests containing custom Host headers.

Additional changes include streamlining construction of the RequestUriBuilder using only the HttpServletRequest, which contains the list of allowed context paths for request.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

Pull Request Tracking

  • Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
  • Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000

Pull Request Formatting

  • Pull Request based on current revision of the main branch
  • Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

  • Build completed using mvn clean install -P contrib-check
    • JDK 21

Licensing

  • New dependencies are compatible with the Apache License 2.0 according to the License Policy
  • New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

  • Documentation formatting appears as expected in rendered files

@exceptionfactory
NIFI-14209 Restructured Host Header Validation
cf8dc18 
- Replaced HostHeaderHandler with HostPortValidatorCustomizer
- Jetty SecureRequestCustomizer enforces host validation for SNI with Server Certificate DNS Subject Alternative Names
- Added tests for TLS SNI with invalid host and port values
- Refactored and streamlined RequestUriBuilder.fromHttpServletRequest()
bbende
bbende approved these changes Feb 5, 2025
View reviewed changes
Copy link
Contributor

@bbende bbende left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, thanks @exceptionfactory !

@bbende bbende merged commit ae5a77b into apache:main Feb 5, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbende bbende bbende approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@exceptionfactory @bbende