From 255dcdffbc8fe812c60ac0ea12e0d59c6e694c8a Mon Sep 17 00:00:00 2001
From: Lars Francke <jujutsu@lars-francke.de>
Date: Wed, 13 Aug 2025 23:19:39 +0200
Subject: [PATCH 1/2] Document workaround to disable SNI checks

---
 Cargo.lock                                    |  4 +-
 Cargo.nix                                     |  4 +-
 .../nifi/pages/troubleshooting/index.adoc     | 40 +++++++++++++++++--
 3 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index ea63e503..4ba23a92 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2519,9 +2519,9 @@ dependencies = [
 
 [[package]]
 name = "slab"
-version = "0.4.10"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d"
+checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"
 
 [[package]]
 name = "smallvec"
diff --git a/Cargo.nix b/Cargo.nix
index 67ccdf4b..fdd8764f 100644
--- a/Cargo.nix
+++ b/Cargo.nix
@@ -8191,9 +8191,9 @@ rec {
       };
       "slab" = rec {
         crateName = "slab";
-        version = "0.4.10";
+        version = "0.4.11";
         edition = "2018";
-        sha256 = "03f5a9gdp33mngya4qwq2555138pj74pl015scv57wsic5rikp04";
+        sha256 = "12bm4s88rblq02jjbi1dw31984w61y2ldn13ifk5gsqgy97f8aks";
         authors = [
           "Carl Lerche <me@carllerche.com>"
         ];
diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc
index a0c8118a..25a707a7 100644
--- a/docs/modules/nifi/pages/troubleshooting/index.adoc
+++ b/docs/modules/nifi/pages/troubleshooting/index.adoc
@@ -22,9 +22,16 @@ spec:
 
 == `HTTP ERROR 400 Invalid SNI`
 
-You are very likely accessing a NiFi >= 2.0 stacklet using HTTPS to secure its WebUI and an Ingress in front of it.
-The URL requested by the ingress-controller (such as nginx) needs to be the FQDN of the nifi service, not only the service name.
-You can instruct nginx ingress to use the FQDN by setting the following annotation:
+This error occurs when accessing NiFi 2.0 or later, which enforces https://en.wikipedia.org/wiki/Server_Name_Indication[SNI (Server Name Indication)] validation for HTTPS connections.
+The hostname in the request must match one of the hostnames in NiFi's TLS certificate.
+
+NOTE: For complete technical background, see the https://issues.apache.org/jira/browse/NIFI-14858[upstream issue NIFI-14858].
+
+=== When using Ingress
+
+If you're accessing NiFi through an Ingress controller, the ingress must forward requests using the FQDN of the NiFi service, not just the service name.
+
+For nginx ingress, configure the `upstream-vhost` annotation to use the service FQDN:
 
 [source,yaml]
 ----
@@ -53,7 +60,32 @@ spec:
 # ...
 ----
 
-For details please read on https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article].
+For additional details, see https://medium.com/@chnzhoujun/how-to-resolve-sni-issue-when-upgrading-to-nifi-2-0-907e07d465c5[this article].
+
+=== When using Load Balancers or other proxies
+
+When Load Balancers, API Gateways, or other proxy tools sit in front of NiFi, they may forward requests with hostnames that don't match NiFi's TLS certificates.
+This commonly occurs because:
+
+* The proxy uses a different hostname than what's in NiFi's certificate
+* NiFi is unaware of the external hostnames used to reach the proxy
+* Certificate management in Kubernetes makes it complex to include all possible hostnames
+
+==== Workaround: Disable SNI validation
+
+Since this scenario is common and difficult to resolve through certificate management, you can disable SNI validation in NiFi:
+
+[source,yaml]
+----
+nodes:
+  configOverrides:
+    nifi.properties:
+      nifi.web.https.sni.required: "false"
+      nifi.web.https.sni.host.check: "false"
+----
+
+WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames.
+Only use this workaround when proper certificate configuration is not feasible.
 
 == `authorization_request_not_found` when using multiple NiFi nodes
 

From a72b3cae45e53a715848f54253668c0a595a6207 Mon Sep 17 00:00:00 2001
From: Lars Francke <jujutsu@lars-francke.de>
Date: Thu, 14 Aug 2025 12:15:52 +0200
Subject: [PATCH 2/2] Include documentation about what each property does

---
 docs/modules/nifi/pages/troubleshooting/index.adoc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/modules/nifi/pages/troubleshooting/index.adoc b/docs/modules/nifi/pages/troubleshooting/index.adoc
index 25a707a7..8ccd1a88 100644
--- a/docs/modules/nifi/pages/troubleshooting/index.adoc
+++ b/docs/modules/nifi/pages/troubleshooting/index.adoc
@@ -84,8 +84,12 @@ nodes:
       nifi.web.https.sni.host.check: "false"
 ----
 
-WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames.
-Only use this workaround when proper certificate configuration is not feasible.
+These properties control NiFi's SNI validation behavior:
+
+* `nifi.web.https.sni.required`: When `true`, NiFi requires that HTTPS requests include an SNI certificate. Setting to `false` allows connections without SNI certificates.
+* `nifi.web.https.sni.host.check`: When `true`, NiFi validates that the SNI certificate's hostname matches the incoming request's hostname. Setting to `false` disables this hostname matching check.
+
+WARNING: Disabling SNI validation reduces security by allowing connections with mismatched hostnames. Only use this workaround when proper certificate configuration is not feasible.
 
 == `authorization_request_not_found` when using multiple NiFi nodes