[
https://issues.apache.org/jira/browse/NIFI-16056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092856#comment-18092856
]
Yuanhao Zhu commented on NIFI-16056:
------------------------------------
[~exceptionfactory] Yup, I've read that part thoroughly during investigation
as well but unfortunately not able to figure out about this one, I would add
the following paragraph as a side note to the Proxy Configuration section
*Note — chained reverse proxies:* NiFi validates {{X-ProxyHost}} or
{{X-Forwarded-Host}} as a single value and does not split it on commas (it only
strips a trailing: port). When multiple reverse proxies are chained, an inner
proxy will _append_ to an {{X-Forwarded-Host}} already set upstream, producing
a comma-joined value like {{{}nifi.example.com, nifi.example.com{}}}. This is
the *default* for Apache {{mod_proxy}} ({{{}ProxyAddHeaders On{}}}). The merged
value matches no configured host, so the request is rejected with {*}HTTP
421{*}, even though each individual value is allow-listed. To avoid this,
ensure only one proxy sets {{X-Forwarded-Host}} — on the inner proxy set
{{ProxyAddHeaders Off}} or {{RequestHeader unset X-Forwarded-Host}} before
forwarding, or use {{X-ProxyHost}} instead.
> X-Forwarded-Host could contain multiple comma-separated values, which leads
> to Invalid Proxy Hosts
> --------------------------------------------------------------------------------------------------
>
> Key: NIFI-16056
> URL: https://issues.apache.org/jira/browse/NIFI-16056
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.10.0
> Reporter: Yuanhao Zhu
> Priority: Major
>
> When NiFi sits behind a chain of reverse proxies that each append to
> {{X-Forwarded-Host}} (standard {{apr_table_mergen}} behavior in Apache httpd
> {{mod_proxy}} with {{{}ProxyAddHeaders On{}}}), the header arrives as a
> single field containing a comma-separated list, e.g.:
> {{X-Forwarded-Host: host.example.com, host.example.com}}
> {{ProxyHeaderValidatorCustomizer.processProxyHostHeaders}} reads the first
> field value and, after stripping a single trailing {{{}:port{}}}, compares
> the *entire string* against the request {{Host}} and the
> {{nifi.web.proxy.host}} allow-list. Because it does not split on comma, the
> value {{"host.example.com, host.example.com"}} is never found in the
> allow-list and the request is rejected with {*}HTTP 421 – Invalid Proxy Host
> Requested{*}, even though every individual value is a legitimate,
> allow-listed host.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)