You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Pat White <pa...@verizonmedia.com> on 2020/05/22 16:19:49 UTC
Use of SNI routing in Nifi ?
Hi Folks,
Has anyone tried using SNI routing with Nifi?
I believe Jetty supports the TLS extension for SNI but have not tried using
it, would appreciate any feedback if someone has tried this. Thank you.
Re: Use of SNI routing in Nifi ?
Posted by Pat White <pa...@verizonmedia.com>.
Thank you Andy, certainly appreciate you looking at this. The use of a
frontend proxy is an excellent point, both to handle the routing as well as
adding isolation for Nifi.
Thanks again for the help.
patw
On Fri, May 22, 2020 at 3:53 PM Andy LoPresto <al...@apache.org> wrote:
> Thanks Pat. The S2S protocol uses TLS as a component, and attempts to use
> the highest protocol version supported by both endpoints. For Java 8, this
> should be TLSv1.2, and for Java 11, TLSv1.3 (introduced in upcoming NiFi
> 1.12.0).
>
> NiFi itself doesn’t support hosting multiple instances on the same port,
> so the only way I see this being applicable is if a load balancer/reverse
> proxy in front of NiFi + other services attempted to identify and route
> incoming traffic based on SNI.
>
> I tried to craft a realistic scenario for this email but I couldn’t get to
> a point where it made sense. If you have a specific desired scenario, I can
> try to analyze it, but the entire concept of having multiple NiFi services
> or NiFi + other services be exposed on the same port and use SNI to
> differentiate seems unnecessary to me.
>
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <al...@gmail.com>*
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
> On May 22, 2020, at 12:05 PM, Pat White <pa...@verizonmedia.com> wrote:
>
> Hi Andy,
> Thanks very much for the feedback, and my apologies for being vague. I
> have not used SNI so i have some learning to do.
>
> Specific use case we were asked about relates with Nifi to Nifi transfers,
> so not the webservice itself but rather S2S.
> I was wondering if S2S protocol supports SNI, and if so some pointers on
> how to configure that.
>
> patw
>
> On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <al...@apache.org>
> wrote:
>
>> Hi Pat,
>>
>> Are you asking if NiFi’s internal web server supports SNI or if NiFi
>> processors/framework connecting to external services can resolve SNI? Maybe
>> some more context around your question would help us answer.
>>
>>
>> Andy LoPresto
>> alopresto@apache.org
>> *alopresto.apache@gmail.com <al...@gmail.com>*
>> He/Him
>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>>
>> On May 22, 2020, at 9:19 AM, Pat White <pa...@verizonmedia.com> wrote:
>>
>> Hi Folks,
>>
>> Has anyone tried using SNI routing with Nifi?
>>
>> I believe Jetty supports the TLS extension for SNI but have not tried
>> using it, would appreciate any feedback if someone has tried this. Thank
>> you.
>>
>>
>>
>>
>
Re: Use of SNI routing in Nifi ?
Posted by Andy LoPresto <al...@apache.org>.
Thanks Pat. The S2S protocol uses TLS as a component, and attempts to use the highest protocol version supported by both endpoints. For Java 8, this should be TLSv1.2, and for Java 11, TLSv1.3 (introduced in upcoming NiFi 1.12.0).
NiFi itself doesn’t support hosting multiple instances on the same port, so the only way I see this being applicable is if a load balancer/reverse proxy in front of NiFi + other services attempted to identify and route incoming traffic based on SNI.
I tried to craft a realistic scenario for this email but I couldn’t get to a point where it made sense. If you have a specific desired scenario, I can try to analyze it, but the entire concept of having multiple NiFi services or NiFi + other services be exposed on the same port and use SNI to differentiate seems unnecessary to me.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On May 22, 2020, at 12:05 PM, Pat White <pa...@verizonmedia.com> wrote:
>
> Hi Andy,
> Thanks very much for the feedback, and my apologies for being vague. I have not used SNI so i have some learning to do.
>
> Specific use case we were asked about relates with Nifi to Nifi transfers, so not the webservice itself but rather S2S.
> I was wondering if S2S protocol supports SNI, and if so some pointers on how to configure that.
>
> patw
>
> On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <alopresto@apache.org <ma...@apache.org>> wrote:
> Hi Pat,
>
> Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer.
>
>
> Andy LoPresto
> alopresto@apache.org <ma...@apache.org>
> alopresto.apache@gmail.com <ma...@gmail.com>
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>> On May 22, 2020, at 9:19 AM, Pat White <patwhite@verizonmedia.com <ma...@verizonmedia.com>> wrote:
>>
>> Hi Folks,
>>
>> Has anyone tried using SNI routing with Nifi?
>>
>> I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.
>>
>>
>
Re: Use of SNI routing in Nifi ?
Posted by Pat White <pa...@verizonmedia.com>.
Hi Andy,
Thanks very much for the feedback, and my apologies for being vague. I have
not used SNI so i have some learning to do.
Specific use case we were asked about relates with Nifi to Nifi transfers,
so not the webservice itself but rather S2S.
I was wondering if S2S protocol supports SNI, and if so some pointers on
how to configure that.
patw
On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <al...@apache.org> wrote:
> Hi Pat,
>
> Are you asking if NiFi’s internal web server supports SNI or if NiFi
> processors/framework connecting to external services can resolve SNI? Maybe
> some more context around your question would help us answer.
>
>
> Andy LoPresto
> alopresto@apache.org
> *alopresto.apache@gmail.com <al...@gmail.com>*
> He/Him
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
> On May 22, 2020, at 9:19 AM, Pat White <pa...@verizonmedia.com> wrote:
>
> Hi Folks,
>
> Has anyone tried using SNI routing with Nifi?
>
> I believe Jetty supports the TLS extension for SNI but have not tried
> using it, would appreciate any feedback if someone has tried this. Thank
> you.
>
>
>
>
Re: Use of SNI routing in Nifi ?
Posted by Andy LoPresto <al...@apache.org>.
Hi Pat,
Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On May 22, 2020, at 9:19 AM, Pat White <pa...@verizonmedia.com> wrote:
>
> Hi Folks,
>
> Has anyone tried using SNI routing with Nifi?
>
> I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.
>
>