Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi 1.5 System Error: Invalid host header

Labels:
avatar
author-rank alvinuw
Expert Contributor

Created ‎01-18-2018 02:31 PM

Hi Guys,

I just upgraded NiFi from v1.4 to v1.5. The cluster is set in secure mode and running in Kubernetes.

But I found below error in Web UI.

System Error The request contained an invalid host header [server:port] in the request [/nifi/]. Check for request manipulation or third-party intercept.

Is it due to nifi.web.proxy.host property? How do I setup it? the IP of the nifi node?

Thanks.

39,472 Views
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-26-2018 01:04 PM

@Vincent van Oudenhoven

A Jira was raised in Apache Jira (https://issues.apache.org/jira/browse/NIFI-4761) to add a whitelist capability so that users could create a list of hostnames that would be allowed. This Whitelist feature is already part of the HDF 3.1 release from Hortonworks and will be part of the Apache NiFi 1.6 release at a later time.

I am sorry to report there is no way around this host name check in Apache NIFi 1.5.

Thanks,

Matt

View solution in original post

34,816 Views
28 REPLIES 28

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎04-13-2018 03:08 PM - edited ‎08-17-2019 11:40 PM

@Abdou B.

Not sure I follow. We are talking about whitelisting configuration needed for NiFi and not Ambari.

The specific nifi.properties property that is used to add a whitelist of allowed http headers is found in the NiFi admin guide:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#web-properties

69457-screen-shot-2018-04-13-at-110234-am.png

Thanks,

Matt

15,287 Views

avatar
author-rank abourakb
Explorer

Created ‎04-13-2018 05:05 PM

Hello @Matt Clarke,

It is ok.

"This Whitelist feature is already part of the HDF 3.1 release from Hortonworks and will be part of the Apache NiFi 1.6 release at a later time.

"

I thought that NIFI 1.5 (which is included in HDF 3.1) was not working and that HDF 3.1 provided throught ambari some Work around 🙂

Thanks for your help !

Best Regards

Abdou

6,841 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎04-13-2018 05:21 PM

@Abdou B.

HDF is never running exactly the same version of Apache NiFi as you would find in the open community. Each HDF release is based off an Apache release version as the baseline with many bugs and/or enhancements added on top. So you may find apache bugs that are fixed in Apache NiFi 1.6 which are already fixed in the HDF 3.1 release.

Matt

6,841 Views
0 Kudos

avatar
author-rank tasanuma
Explorer

Created ‎03-06-2018 05:58 AM

If you can build NiFi, it is not so hard to back-port the whitelist feature to 1.5.0. You only need to cherry-pick two commits.

git clone -b rel/nifi-1.5.0 https://github.com/apache/nifi
cd nifi

# cherry-pick NIFI-4761
git cherry-pick 8cb09c301d6fef70cc8a02a4a7e80f3062ab58ae
git cherry-pick e3c661daac69cdb2de43c3d66d9ed1ccc9c8dbc6

# If you need the tar ball
mvn -T 2.0C clean install -DskipTests

# If you need the RPM package
mvn -T 2.0C clean install -DskipTests -Prpm

This works fine for us. Thanks.

6,841 Views
0 Kudos

avatar
author-rank vincentvanouden
Contributor

Created ‎03-06-2018 05:38 PM

I'll make sure to try this out, I hadn't thought of doing this.

6,841 Views
0 Kudos

avatar
author-rank mike-nacey
Explorer

Created ‎07-23-2018 06:52 PM

Is there a way to turn off the Header Request checking entirely? This is causing hoopla with load balancers. SSL will take care of this on its own, yes?

,

Is there a way to disable the Request Header check? This causes hellavu problems with load balancers.

6,841 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created on ‎07-23-2018 07:25 PM - edited ‎08-17-2019 11:40 PM

@Alvin Jin

There is no way to disable the strict hostname checking. The purpose is prevent NiFI from responding to requests that were directed at a different target host.

-

If the incoming request has hostname abc.example.com in the header, It is expected that the PrivateKeyEntry in the keystore being used by NiFi has that exact same hostname defined either as its CN or as a Subject Alternative Name (SAN).

-

NiFi does provide a mechanism to get around this hostname checking in Apache NIFi 1.6.0 or (HDF 3.1.x) versions.

82426-screen-shot-2018-07-23-at-32400-pm.png

-

This new property would get added to the nifi.properties file.

-

Thank you,

Matt

-

If you found this Answer addressed your original question, please take a moment to login and click "Accept" below the answer.

6,841 Views
0 Kudos

avatar
author-rank mike-nacey
Explorer

Created ‎07-23-2018 07:42 PM

Thanks. What I have found is that incoming requests from the LB (aws NLB) were being rejected, even when the LB DNS was part of the SAN in the cert. Setting the nifi.web.proxy.host = <LB DNS>:9091 stopped this from happening, but now there is an error saying that the hostname should be <X>, where X is the private DNS name of the node. I will try adding the private DNS entries to the SAN to see if this resolves. Thanks.

6,841 Views
0 Kudos

avatar
author-rank Maymmus
New Contributor

Created ‎10-21-2019 04:22 AM

Hi,

 Did adding Nifi hostnames to the load balancer certificate's SAN help?

6,745 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements