[
https://issues.apache.org/jira/browse/NIFI-16056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092655#comment-18092655
]
David Handermann commented on NIFI-16056:
-----------------------------------------
[~yuanhao.zhu] Thanks for reporting this issue. Although this might have
avoided validation in the past, the comma separation in the X-Forwarded-Host
header is not supported. The value must be limited to a single host, or
host:port value.
> X-Forwarded-Host could contain multiple comma-separated values, which leads
> to Invalid Proxy Hosts
> --------------------------------------------------------------------------------------------------
>
> Key: NIFI-16056
> URL: https://issues.apache.org/jira/browse/NIFI-16056
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.10.0
> Reporter: Yuanhao Zhu
> Priority: Major
>
> When NiFi sits behind a chain of reverse proxies that each append to
> {{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd
> {{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a
> single field containing a comma-separated list, e.g.:
> {{X-Forwarded-Host: host.example.com, host.example.com}}
> {{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first
> field value and, after stripping a single trailing {{{}:port{}}}, compares
> the *entire string* against the request {{Host}} and the
> {{nifi.web.proxy.host}} allow-list. Because it does not split on comma, the
> value {{"host.example.com, host.example.com"}} is never found in the
> allow-list and the request is rejected with {*}HTTP 421 – Invalid Proxy Host
> Requested{*}, even though every individual value is a legitimate,
> allow-listed host.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)