[ 
https://issues.apache.org/jira/browse/NIFI-16056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092655#comment-18092655
 ] 

David Handermann commented on NIFI-16056:
-----------------------------------------

[~yuanhao.zhu] Thanks for reporting this issue. Although this might have 
avoided validation in the past, the comma separation in the X-Forwarded-Host 
header is not supported. The value must be limited to a single host, or 
host:port value.

> X-Forwarded-Host could contain multiple comma-separated values, which leads 
> to Invalid Proxy Hosts
> --------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-16056
>                 URL: https://issues.apache.org/jira/browse/NIFI-16056
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 2.10.0
>            Reporter: Yuanhao Zhu
>            Priority: Major
>
> When NiFi sits behind a chain of reverse proxies that each append to 
> {{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd 
> {{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a 
> single field containing a comma-separated list, e.g.:
> {{X-Forwarded-Host: host.example.com, host.example.com}}
> {{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first 
> field value and, after stripping a single trailing {{{}:port{}}}, compares 
> the *entire string* against the request {{Host}} and the 
> {{nifi.web.proxy.host}} allow-list. Because it does not split on comma, the 
> value {{"host.example.com, host.example.com"}} is never found in the 
> allow-list and the request is rejected with {*}HTTP 421 – Invalid Proxy Host 
> Requested{*}, even though every individual value is a legitimate, 
> allow-listed host.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to