Skip to content

Backport NIFI-14858 to NiFi 2.4.0 #1225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 15, 2025
Merged

Backport NIFI-14858 to NiFi 2.4.0 #1225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
- ubi9-rust-builder: Include `.tar.gz` snapshots of the operator source code in container images ([#1207])
- opensearch: Add Opensearch as new product with version `3.1.0` ([#1215]).
- opensearch: Use build-repo.stackable.tech instead of Maven Central ([#1222]).
- nifi: Backport NIFI-14848 to NiFi ([#1225])

### Changed

Expand All @@ -20,6 +21,7 @@ All notable changes to this project will be documented in this file.
[#1219]: https://github.com/stackabletech/docker-images/pull/1219
[#1220]: https://github.com/stackabletech/docker-images/pull/1220
[#1222]: https://github.com/stackabletech/docker-images/pull/1222
[#1225]: https://github.com/stackabletech/docker-images/pull/1225

## [25.7.0] - 2025-07-23

Expand Down
106 changes: 106 additions & 0 deletions nifi/stackable/patches/2.4.0/0004-NIFI-14858-Make-SNI-checking-configurable.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
From 6f36be44f82a759fe7f4604839b5e528e5037fea Mon Sep 17 00:00:00 2001
From: Lars Francke <[email protected]>
Date: Wed, 13 Aug 2025 14:16:55 +0200
Subject: NIFI-14858: Make SNI checking configurable

Introduces two new properties:
- nifi.web.https.sni.required
- nifi.web.https.sni.host.check
---
.../StandardServerConnectorFactory.java | 24 +++++++++++++++++++
.../org/apache/nifi/util/NiFiProperties.java | 10 ++++++++
.../FrameworkServerConnectorFactory.java | 4 ++++
3 files changed, 38 insertions(+)

diff --git a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
index 26d09706a1..37fda0929d 100644
--- a/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
+++ b/nifi-commons/nifi-jetty-configuration/src/main/java/org/apache/nifi/jetty/configuration/connector/StandardServerConnectorFactory.java
@@ -70,6 +70,10 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {

private int requestHeaderSize = 8192;

+ private boolean sniRequired = true;
+
+ private boolean sniHostCheck = true;
+
/**
* Standard Server Connector Factory Constructor with required properties
*
@@ -181,6 +185,24 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {
this.requestHeaderSize = requestHeaderSize;
}

+ /**
+ * Set SNI Required controls whether SNI is required for TLS connections
+ *
+ * @param sniRequired SNI Required status
+ */
+ public void setSniRequired(final boolean sniRequired) {
+ this.sniRequired = sniRequired;
+ }
+
+ /**
+ * Set SNI Host Check controls whether SNI host checking is enabled for TLS connections
+ *
+ * @param sniHostCheck SNI Host Check status
+ */
+ public void setSniHostCheck(final boolean sniHostCheck) {
+ this.sniHostCheck = sniHostCheck;
+ }
+
protected Server getServer() {
return server;
}
@@ -195,6 +217,8 @@ public class StandardServerConnectorFactory implements ServerConnectorFactory {
httpConfiguration.setSendServerVersion(SEND_SERVER_VERSION);

final SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
+ secureRequestCustomizer.setSniRequired(sniRequired);
+ secureRequestCustomizer.setSniHostCheck(sniHostCheck);
httpConfiguration.addCustomizer(secureRequestCustomizer);
}

diff --git a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
index cd3cd0b27e..0e07d5a141 100644
--- a/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
+++ b/nifi-commons/nifi-properties/src/main/java/org/apache/nifi/util/NiFiProperties.java
@@ -206,6 +206,8 @@ public class NiFiProperties extends ApplicationProperties {
public static final String WEB_HTTPS_CIPHERSUITES_INCLUDE = "nifi.web.https.ciphersuites.include";
public static final String WEB_HTTPS_CIPHERSUITES_EXCLUDE = "nifi.web.https.ciphersuites.exclude";
public static final String WEB_HTTPS_NETWORK_INTERFACE_PREFIX = "nifi.web.https.network.interface.";
+ public static final String WEB_HTTPS_SNI_REQUIRED = "nifi.web.https.sni.required";
+ public static final String WEB_HTTPS_SNI_HOST_CHECK = "nifi.web.https.sni.host.check";
public static final String WEB_WORKING_DIR = "nifi.web.jetty.working.directory";
public static final String WEB_THREADS = "nifi.web.jetty.threads";
public static final String WEB_MAX_HEADER_SIZE = "nifi.web.max.header.size";
@@ -710,6 +712,14 @@ public class NiFiProperties extends ApplicationProperties {
return Arrays.stream(protocols.split("\\s+")).collect(Collectors.toSet());
}

+ public boolean isWebHttpsSniRequired() {
+ return Boolean.parseBoolean(getProperty(WEB_HTTPS_SNI_REQUIRED, "true"));
+ }
+
+ public boolean isWebHttpsSniHostCheck() {
+ return Boolean.parseBoolean(getProperty(WEB_HTTPS_SNI_HOST_CHECK, "true"));
+ }
+
public String getWebMaxHeaderSize() {
return getProperty(WEB_MAX_HEADER_SIZE, DEFAULT_WEB_MAX_HEADER_SIZE);
}
diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
index b58c886f4f..55a28b1c3c 100644
--- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
+++ b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/connector/FrameworkServerConnectorFactory.java
@@ -90,6 +90,10 @@ public class FrameworkServerConnectorFactory extends StandardServerConnectorFact

// Set Transport Layer Security Protocols based on platform configuration
setIncludeSecurityProtocols(TlsPlatform.getPreferredProtocols().toArray(new String[0]));
+
+ // Set SNI configuration from properties
+ setSniRequired(properties.isWebHttpsSniRequired());
+ setSniHostCheck(properties.isWebHttpsSniHostCheck());
}
}