You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/01/12 00:48:00 UTC

[jira] [Commented] (NIFI-9484) SECURE NIFI behind Nginx Reverse proxy

    [ https://issues.apache.org/jira/browse/NIFI-9484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17473229#comment-17473229 ] 

David Handermann commented on NIFI-9484:
----------------------------------------

The first configuration is correct, no value should be set for nifi.web.proxy.context.path when the proxy handles requests at the root path.

However, the following proxy configuration header is not correct:

{noformat}
proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
{noformat}

The NiFi Administrator's Guide provides some additional details, but the certificate distinguished name needs to be wrapped in brackets.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration


> SECURE NIFI behind Nginx Reverse proxy
> --------------------------------------
>
>                 Key: NIFI-9484
>                 URL: https://issues.apache.org/jira/browse/NIFI-9484
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.11.4
>            Reporter: mayki
>            Priority: Minor
>              Labels: context-path, proxy
>
> Hello,
> I read a lot of documentation about how configure secure nifi before reverse proxy.
> But it seems missing something to work completly.
>  * the path to /nifi, WEB UI,  processor configuration: OK
>  * the path to /nifi-api, stop processor, view provenance, [https://xxxx:19091/nifi-api/processors/28621407-017d-1000-31a3-58539fc2e94a/run-status|https://s3639tos.mc2.renault.fr:19091/nifi-api/processors/28621407-017d-1000-31a3-58539fc2e94a/run-status] : KO
>  
> I use this config :
> {code:java}
> server {
>       listen    19091;
>       server_name    nginx_server;
>       proxy_ssl_trusted_certificate /etc/nginx/certs/xxx-cert.pem;
>       proxy_ssl_certificate /etc/nginx/certs/xxx-cert.pem;
>       proxy_ssl_certificate_key /etc/nginx/certs/xxx-key.pem;
>     location / {
>         proxy_ssl_server_name on;
>         proxy_pass https://nifi_server:9091;
>         proxy_set_header X-ProxyScheme https;
>         proxy_set_header X-ProxyHost nifi_server;
>         proxy_set_header X-ProxyPort 19091;
>         #proxy_set_header X-ProxyContextPath /;
>         proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
>  {code}
> Nifi properties 1: 
> {code:java}
> nifi.web.proxy.context.path=
> nifi.web.proxy.host=nginx_server:19091 {code}
> Nifi properties 2: 
> {code:java}
> nifi.web.proxy.context.path=/
> nifi.web.proxy.host=nginx_server:19091 {code}
>  
> Nifi properties 3: 
> {code:java}
> nifi.web.proxy.context.path=//,/nifi-api
> nifi.web.proxy.host=nginx_server:19091 {code}
>  
> I read a lot time, but I don't sure that is need to push in nifi.web.proxy.context.path
> What is the correct configuration to setup ?
> Thanks.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)