You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/01/12 00:48:00 UTC
[jira] [Commented] (NIFI-9484) SECURE NIFI behind Nginx Reverse proxy
[ https://issues.apache.org/jira/browse/NIFI-9484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17473229#comment-17473229 ]
David Handermann commented on NIFI-9484:
----------------------------------------
The first configuration is correct, no value should be set for nifi.web.proxy.context.path when the proxy handles requests at the root path.
However, the following proxy configuration header is not correct:
{noformat}
proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
{noformat}
The NiFi Administrator's Guide provides some additional details, but the certificate distinguished name needs to be wrapped in brackets.
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
> SECURE NIFI behind Nginx Reverse proxy
> --------------------------------------
>
> Key: NIFI-9484
> URL: https://issues.apache.org/jira/browse/NIFI-9484
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.11.4
> Reporter: mayki
> Priority: Minor
> Labels: context-path, proxy
>
> Hello,
> I read a lot of documentation about how configure secure nifi before reverse proxy.
> But it seems missing something to work completly.
> * the path to /nifi, WEB UI, processor configuration: OK
> * the path to /nifi-api, stop processor, view provenance, [https://xxxx:19091/nifi-api/processors/28621407-017d-1000-31a3-58539fc2e94a/run-status|https://s3639tos.mc2.renault.fr:19091/nifi-api/processors/28621407-017d-1000-31a3-58539fc2e94a/run-status] : KO
>
> I use this config :
> {code:java}
> server {
> listen 19091;
> server_name nginx_server;
> proxy_ssl_trusted_certificate /etc/nginx/certs/xxx-cert.pem;
> proxy_ssl_certificate /etc/nginx/certs/xxx-cert.pem;
> proxy_ssl_certificate_key /etc/nginx/certs/xxx-key.pem;
> location / {
> proxy_ssl_server_name on;
> proxy_pass https://nifi_server:9091;
> proxy_set_header X-ProxyScheme https;
> proxy_set_header X-ProxyHost nifi_server;
> proxy_set_header X-ProxyPort 19091;
> #proxy_set_header X-ProxyContextPath /;
> proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
> {code}
> Nifi properties 1:
> {code:java}
> nifi.web.proxy.context.path=
> nifi.web.proxy.host=nginx_server:19091 {code}
> Nifi properties 2:
> {code:java}
> nifi.web.proxy.context.path=/
> nifi.web.proxy.host=nginx_server:19091 {code}
>
> Nifi properties 3:
> {code:java}
> nifi.web.proxy.context.path=//,/nifi-api
> nifi.web.proxy.host=nginx_server:19091 {code}
>
> I read a lot time, but I don't sure that is need to push in nifi.web.proxy.context.path
> What is the correct configuration to setup ?
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)