NIFI-15967 Adjust Proxy Header Validation for Replicated Requests

[exceptionfactory]

Summary

NIFI-15967 Adjusts the implementation of proxy header validation to support authenticated and replicated requests between NiFi cluster nodes.

Proxy host header validation applies only when the application is enabled for HTTPS, so the implementation checks for the presence of X509 Peer Certificates in the TLS Session. This occurs after a successful TLS handshake, and the presence of the client certificates in the TLS Session indicates that mutual TLS authentication completed as expected. To differentiate requests, the implementation looks for the presence of the custom request-replicated header, which the application sets when constructing forwarded requests. Without both of these qualifiers, standard proxy host header validation occurs, checking the values configured in the nifi.web.proxy.host property, as implemented in NIFI-15953.

Tracking

Please complete the following tracking steps prior to pull request creation.

Issue Tracking

• Apache NiFi Jira issue created

Pull Request Tracking

• Pull Request title starts with Apache NiFi Jira issue number, such as NIFI-00000
• Pull Request commit message starts with Apache NiFi Jira issue number, as such NIFI-00000
• Pull request contains commits signed with a registered key indicating Verified status

Pull Request Formatting

• Pull Request based on current revision of the main branch
• Pull Request refers to a feature branch with one commit containing changes

Verification

Please indicate the verification steps performed prior to pull request creation.

Build

• Build completed using ./mvnw clean install -P contrib-check
  • JDK 21
  • JDK 25

Licensing

• New dependencies are compatible with the Apache License 2.0 according to the License Policy
• New dependencies are documented in applicable LICENSE and NOTICE files

Documentation

• Documentation formatting appears as expected in rendered files

[pvillard31]

Should this branch also require the peer certificate to match a known cluster node identity (or come from the cluster-only trust store), so that a non-node user holding a valid client certificate cannot bypass proxy host validation simply by adding the request-replicated header?

[exceptionfactory]

I considered that additional approach, but it places additional constraints on information that is not necessarily available. The current approach places inherent security constraints with mTLS, and also fits within current configuration boundaries.

[pvillard31]

Could we reference RequestReplicationHeader.REQUEST_REPLICATED.getHeader() (possibly after moving that enum, or just this single constant, into nifi-web-servlet-shared next to ProxyHeader) so the header value is defined in exactly one place?

[exceptionfactory]

Thanks, I looked at options and ended up creating a new ReplicationHeader with just this new enum and put it in nifi-framework-core, as that appeared to be a better location given the cluster-focused nature of this header.

[pvillard31]

Same question on the test side: can REQUEST_REPLICATED_HEADER here share the canonical constant rather than redefining the literal?

[pvillard31]

Is there any code path under a successful isSecure() where connection.getEndPoint() or endPoint.getSslSessionData() could be null (for example during a protocol upgrade), and if so should we guard the chain rather than risk an NullPointerException inside the customizer?

[exceptionfactory]

Good question, but no, at this point in the Connection handling, the SslSessionData can never be null.

[pvillard31]

Thanks for the updates @exceptionfactory - there are some test failures to address

[exceptionfactory]

Thanks for the updates @exceptionfactory - there are some test failures to address

Thanks @pvillard31, I pushed an update to adjust the filtering method in ReplicationHeaderUtils to maintain current behavior.

[pvillard31]

Thanks, latest LGTM and can be merged after successful checks.