add docs and changelog entry

stackabletech · Aug 27, 2024 · fc33b3e · fc33b3e
1 parent ba5c38d
commit fc33b3e
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Allow configuring proxy host behaviour ([#668]).
+
 ### Changed
 
 - Reduce CRD size from `637KB` to `105KB` by accepting arbitrary YAML input instead of the underlying schema for the following fields ([#664]):
@@ -17,6 +21,7 @@ All notable changes to this project will be documented in this file.
 
 [#664]: https://github.com/stackabletech/nifi-operator/pull/664
 [#665]: https://github.com/stackabletech/nifi-operator/pull/665
+[#668]: https://github.com/stackabletech/nifi-operator/pull/668
 
 ## [24.7.0] - 2024-07-24
 

diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc
@@ -167,3 +167,19 @@ sensitiveProperties:
   keySecret: nifi-sensitive-property-key
   algorithm: nifiArgon2AesGcm256
 ----
+
+[#host-header-check]
+== Host Header Check
+NiFi checks the Host header of incoming requests and rejects them if they are passing through a proxy that is not on an allow-list configured in the `nifi.web.proxy.host` property.
+
+A https://github.com/stackabletech/docker-images/pull/694[patch] applied during the build of the SDP container image for NiFi allows turning off this check by adding `nifi.web.proxy.host=*` to the properties. The Host header check for NiFi clusters created by the operator is turned off by default but can be turned in the NiFi configuration. In this case the list of allowed hosts will default to Kubernetes Services used by Nifi and can be extended with custom entries.
+
+[source,yaml]
+----
+spec:
+  clusterConfig:
+    hostHeaderCheck:
+      allowAll: false
+      additionalAllowedHosts:
+      - example.com:1234
+----
diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -171,15 +171,15 @@ pub struct HostHeaderCheckConfig {
     #[serde(default = "default_allow_all")]
     pub allow_all: bool,
     /// List of proxy hosts to add to the default allow list deployed by SDP containing Kubernetes Services utilized by NiFi.
-    #[serde(default = "default_additional_allowed_hosts")]
+    #[serde(default)]
     pub additional_allowed_hosts: Vec<String>,
 }
 
 impl Default for HostHeaderCheckConfig {
     fn default() -> Self {
         Self {
-            allow_all: true,
-            additional_allowed_hosts: vec![],
+            allow_all: default_allow_all(),
+            additional_allowed_hosts: Vec::default(),
         }
     }
 }
@@ -188,10 +188,6 @@ pub fn default_allow_all() -> bool {
     true
 }
 
-pub fn default_additional_allowed_hosts() -> Vec<String> {
-    vec![]
-}
-
 // TODO: Temporary solution until listener-operator is finished
 #[derive(Clone, Debug, Default, Display, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
 #[serde(rename_all = "PascalCase")]