[jira] [Created] (NIFI-15013) Embedded UI pages may fail to open when NiFi runs behind a reverse proxy

Wed, 24 Sep 2025 09:31:44 -0700 

Peter Turcsanyi created NIFI-15013:
--------------------------------------

             Summary: Embedded UI pages may fail to open when NiFi runs behind 
a reverse proxy
                 Key: NIFI-15013
                 URL: https://issues.apache.org/jira/browse/NIFI-15013
             Project: Apache NiFi
          Issue Type: Bug
            Reporter: Peter Turcsanyi


When a reverse proxy sits between the browser and the NiFi backend, it may 
change the incoming requests and add some extra technical parameters. E.g. 
Apache Knox adds "doAs=username" which is used for passing the authenticated 
user to the backend services.

NiFi does not use the "doAs" parameter effectively because it relies on the 
X-ProxiedEntitiesChain header instead (also set by the proxy). In most cases, 
"doAs" does not cause any issues in NiFi and it just omits the extra parameter 
but the embedded UI pages (like the Advanced property pages and the Content 
Viewer) cannot handle it properly.

Switching from the core UI to an embedded UI page involves two steps:
 # The client sends an HTTP request with query parameters indicating the 
component id, etc. The backend converts the query string to an URL fragment and 
sends back a redirection with this modified URL.
 # The client uses the fragment internally and sends a second request 
(according to the redirection), this time without parameters. The backend 
responses with the HTML content of the page.

Both requests go through 
[QueryStringToFragmentFilter|https://github.com/apache/nifi/blob/main/nifi-commons/nifi-web-servlet-shared/src/main/java/org/apache/nifi/web/servlet/filter/QueryStringToFragmentFilter.java]
 which decides if it is the first or the second step and sends the redirection 
with the fragment in case of step #1. The decision is simply made based on the 
presence of a query string and this leads to the issue with Knox (and 
potentially with other proxies too) because "doAs" is always present and it 
triggers redirection infinitely.

A trivial solution would be to filter for "doAs" in QueryStringToFragmentFilter 
and do not redirect if this is the only parameter but it would be Knox specific 
and definitely not ideal.
Another option would be to add an extra parameter by the NiFi client that 
explicitly distinguishes whether the request is the first step or the second. 
So QueryStringToFragmentFilter could use it when making the decision to 
redirect or not.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to