[ 
https://issues.apache.org/jira/browse/NIFI-16056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092856#comment-18092856
 ] 

Yuanhao Zhu commented on NIFI-16056:
------------------------------------

[~exceptionfactory]  Yup, I've read that part thoroughly during investigation 
as well but unfortunately not able to figure out about this one, I would add 
the following paragraph as a side note to the Proxy Configuration section

*Note — chained reverse proxies:* NiFi validates {{X-ProxyHost}} or 
{{X-Forwarded-Host}} as a single value and does not split it on commas (it only 
strips a trailing: port). When multiple reverse proxies are chained, an inner 
proxy will _append_ to an {{X-Forwarded-Host}} already set upstream, producing 
a comma-joined value like {{{}nifi.example.com, nifi.example.com{}}}. This is 
the *default* for Apache {{mod_proxy}} ({{{}ProxyAddHeaders On{}}}). The merged 
value matches no configured host, so the request is rejected with {*}HTTP 
421{*}, even though each individual value is allow-listed. To avoid this, 
ensure only one proxy sets {{X-Forwarded-Host}} — on the inner proxy set 
{{ProxyAddHeaders Off}} or {{RequestHeader unset X-Forwarded-Host}} before 
forwarding, or use {{X-ProxyHost}} instead.

> X-Forwarded-Host could contain multiple comma-separated values, which leads 
> to Invalid Proxy Hosts
> --------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-16056
>                 URL: https://issues.apache.org/jira/browse/NIFI-16056
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 2.10.0
>            Reporter: Yuanhao Zhu
>            Priority: Major
>
> When NiFi sits behind a chain of reverse proxies that each append to 
> {{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd 
> {{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a 
> single field containing a comma-separated list, e.g.:
> {{X-Forwarded-Host: host.example.com, host.example.com}}
> {{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first 
> field value and, after stripping a single trailing {{{}:port{}}}, compares 
> the *entire string* against the request {{Host}} and the 
> {{nifi.web.proxy.host}} allow-list. Because it does not split on comma, the 
> value {{"host.example.com, host.example.com"}} is never found in the 
> allow-list and the request is rejected with {*}HTTP 421 – Invalid Proxy Host 
> Requested{*}, even though every individual value is a legitimate, 
> allow-listed host.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to