diff --git a/CHANGELOG.md b/CHANGELOG.md index 384cf11d..2a1e4a53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- Allow configuring proxy host behaviour ([#668]). + ### Changed - Reduce CRD size from `637KB` to `105KB` by accepting arbitrary YAML input instead of the underlying schema for the following fields ([#664]): @@ -17,6 +21,7 @@ All notable changes to this project will be documented in this file. [#664]: https://github.com/stackabletech/nifi-operator/pull/664 [#665]: https://github.com/stackabletech/nifi-operator/pull/665 +[#668]: https://github.com/stackabletech/nifi-operator/pull/668 ## [24.7.0] - 2024-07-24 diff --git a/docs/modules/nifi/pages/usage_guide/security.adoc b/docs/modules/nifi/pages/usage_guide/security.adoc index ec376611..9c6bb662 100644 --- a/docs/modules/nifi/pages/usage_guide/security.adoc +++ b/docs/modules/nifi/pages/usage_guide/security.adoc @@ -167,3 +167,19 @@ sensitiveProperties: keySecret: nifi-sensitive-property-key algorithm: nifiArgon2AesGcm256 ---- + +[#host-header-check] +== Host Header Check +NiFi checks the Host header of incoming requests and rejects them if they are passing through a proxy that is not on an allow-list configured in the `nifi.web.proxy.host` property. + +A https://github.com/stackabletech/docker-images/pull/694[patch] applied during the build of the SDP container image for NiFi allows turning off this check by adding `nifi.web.proxy.host=*` to the properties. The Host header check for NiFi clusters created by the operator is turned off by default but can be turned in the NiFi configuration. In this case the list of allowed hosts will default to Kubernetes Services used by Nifi and can be extended with custom entries. + +[source,yaml] +---- +spec: + clusterConfig: + hostHeaderCheck: + allowAll: false + additionalAllowedHosts: + - example.com:1234 +---- \ No newline at end of file diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 718242a0..e97e3660 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -171,15 +171,15 @@ pub struct HostHeaderCheckConfig { #[serde(default = "default_allow_all")] pub allow_all: bool, /// List of proxy hosts to add to the default allow list deployed by SDP containing Kubernetes Services utilized by NiFi. - #[serde(default = "default_additional_allowed_hosts")] + #[serde(default)] pub additional_allowed_hosts: Vec, } impl Default for HostHeaderCheckConfig { fn default() -> Self { Self { - allow_all: true, - additional_allowed_hosts: vec![], + allow_all: default_allow_all(), + additional_allowed_hosts: Vec::default(), } } } @@ -188,10 +188,6 @@ pub fn default_allow_all() -> bool { true } -pub fn default_additional_allowed_hosts() -> Vec { - vec![] -} - // TODO: Temporary solution until listener-operator is finished #[derive(Clone, Debug, Default, Display, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] #[serde(rename_all = "PascalCase")]