Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-1434

Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.0.0
    • 1.2.0
    • AdminUI
    • None
    • HDP 3.0
      Knox 1.0.0

    Description

      Problem Description:

      Visiting Knox Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict Transport Security (HSTS) header for the host where Knox is running. Any subsequent request to other service on the same host (e.g. Graphana, Ranger etc.) over HTTP would get redirected to HTTPS due to this header.

      Please note that, this HSTS header is disabled in all Knox topologies by default.

      Ref: https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security

       

      Impact:

      All the non-SSL requests to other services get redirected automatically to HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some other error.

       

      Expected Behavior:

      Unless HSTS is specifically enabled for Knox Admin UI, it should not set HSTS header.

       

      Steps to reproduce:

      1. Configure Knox with default topology as one normally would.
      2. Once Knox is up, visit Knox Admin UI
      3. Now, in the same browser session, visit any non-SSL service running on the same Knox host (like Ranger UI on 6080).
      4. Browser will redirect this HTTP request to HTTPS.
      5. If one can carefully clear the HSTS header in browser, then redirection will stop until the next time one visits Knox Admin UI again.

      Attachments

        1. KNOX-1434.patch
          0.8 kB
          Vipin Rathor

        Activity

          People

            Unassigned Unassigned
            vrathor-hw Vipin Rathor
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: