You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@nifi.apache.org by skunky <le...@gmail.com> on 2016/10/21 04:49:03 UTC

Nifi 1.0.0 - HTTPS

Hi guys,
I have one big issue regarding nifi over https, and just dont't have any
clue to solve it.

    I have a nifi instance behind a balancer ( haproxy ) that does a ssl
termination, by presenting a certiticate to the user, and than forward
request to nifi backend over http protocol ( without auth).
The point is, that nifi page opens. But in the moment that I try to make any
change to the canvas,
the browser brake the connection because of the mixed-content.
 - first request that opens nifi page is ok ( https://balancer_ip:444 )
 - second request when I try to make changes is blocked (
http://balancer_ip:444)
    So, it seems that I have to run nifi fully ssl-encrypted. Here comes the
problem ( and the question ):
    Is there a way to run nifi over ssl BUT with anonymous auth, an MOST
important thing without any key/certificate imported into the users's
browser ?
    I just need to run it over ssl. I'm desperate looking for a solution,
for two days...
    Thanks in advance !



--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-1-0-0-HTTPS-tp13683.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.

Re: Nifi 1.0.0 - HTTPS

Posted by skunky <le...@gmail.com>.

Sir,
It worked !
Thank you very much for help.




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-1-0-0-HTTPS-tp13683p13708.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.

Re: Nifi 1.0.0 - HTTPS

Posted by Matt Gilman <ma...@gmail.com>.

If you have a chance, open up the Developer Tools in your browser and check
out the response coming back from the server. Add a processor to your
canvas and the response will contain an entry like this

uri:"
https://localhost:8443/nifi-api/processors/e82c44e1-0157-1000-73be-f709aa402a30
"

This URI is how subsequent actions for this processor will be requested.
This URI is generated using the incoming request (from the proxy in your
scenario) but can be overridden. If this URI is the scheme/host/port of the
back-end instance and not the proxy you should try adding those headers I
outlined in my previous message to see if it helps.

Matt

On Fri, Oct 21, 2016 at 7:54 AM, skunky <le...@gmail.com> wrote:

> Hi,
> Thanks for help !
>    I didn't map any path of nifi. I just have a ssl termination on a load
> balancer ( haproxy in this case) that forward all req. that at commint to
> it's frontentd ( https:444 ) to the ip of the nifi instance ( which is
> http:8080).
>    So user browser hits  https://balancer_ip:444  that forwards to
> http://nifi_ip:8080.
> The problem is at some point, the url becomes http ( and browser interrupts
> conbection because of "mixed content" ).
>    That's why I think I need to have the whole nifi stream over ssl. Just
> to
> have the same ssl type content, not a mixed one.
>
> Here, I posted the nifi part of haproxy conf :
>
> ## NIFI SSL ##
> frontend nifissl
>     mode http
>     bind *:444 ssl crt cert.pem
>     reqadd X-Forwarded-Proto:\ https
>     reqadd X-Forwarded-Proto:\ http
>     redirect scheme https if !{ ssl_fc }
>     capture request header origin len 128
>     http-response add-header Access-Control-Allow-Origin
> %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
>     rspadd Access-Control-Allow-Headers:\ Origin,\ X-Requested-With,\
> Content-Type,\ Accept  if { capture.req.hdr(0) -m found }
>     default_backend srv1
>
> backend nifissl-centos
>     balance roundrobin
>     server srv1 x.x.x.x:8080 check
>
>
>
>
> --
> View this message in context: http://apache-nifi-developer-
> list.39713.n7.nabble.com/Nifi-1-0-0-HTTPS-tp13683p13685.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>

Re: Nifi 1.0.0 - HTTPS

Posted by skunky <le...@gmail.com>.

Hi,
Thanks for help !
   I didn't map any path of nifi. I just have a ssl termination on a load
balancer ( haproxy in this case) that forward all req. that at commint to
it's frontentd ( https:444 ) to the ip of the nifi instance ( which is
http:8080). 
   So user browser hits  https://balancer_ip:444  that forwards to
http://nifi_ip:8080.
The problem is at some point, the url becomes http ( and browser interrupts
conbection because of "mixed content" ). 
   That's why I think I need to have the whole nifi stream over ssl. Just to
have the same ssl type content, not a mixed one.

Here, I posted the nifi part of haproxy conf :

## NIFI SSL ##
frontend nifissl
    mode http
    bind *:444 ssl crt cert.pem
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Proto:\ http
    redirect scheme https if !{ ssl_fc }
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin
%[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ X-Requested-With,\
Content-Type,\ Accept  if { capture.req.hdr(0) -m found }
    default_backend srv1

backend nifissl-centos
    balance roundrobin
    server srv1 x.x.x.x:8080 check




--
View this message in context: http://apache-nifi-developer-list.39713.n7.nabble.com/Nifi-1-0-0-HTTPS-tp13683p13685.html
Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.

Re: Nifi 1.0.0 - HTTPS

Posted by Matt Gilman <ma...@gmail.com>.

Hey, thanks for reaching out.

There are a couple of key items to know when standing up NiFi behind a
proxy.

1) NiFi is comprised of a number of web applications (web ui, web api,
documentation, custom ui's, etc). So you'll need to set up your mapping to
the root path. That way all context paths are pass through accordingly. For
instance, if you only mapped the /nifi context path, the custom ui for
Update Attributes will not work since it's available at
/update-attribute-ui-<version>.

2) NiFi's rest api will generate uri's for each component on the graph.
Since your coming through a proxy, you'll need to override certain elements
of the uri's being generated. This is why you're able to view the graph,
but you cannot modify anything. It's attempting to call back directly to
your NiFi, not through your proxy. You can override the elements of the uri
by adding the following HTTP headers when your proxy generates the HTTP
request to the NiFi instance:

X-ProxyScheme - the scheme to use to connect to your proxy (https in this
case)
X-ProxyHost - the host of your proxy
X-ProxyPort - the port your proxy is listening on
X-ProxyContextPath - the path you've configured to map to the NiFi instance

Let me know if this helps. Thanks!

Matt

On Fri, Oct 21, 2016 at 12:49 AM, skunky <le...@gmail.com> wrote:

> Hi guys,
> I have one big issue regarding nifi over https, and just dont't have any
> clue to solve it.
>
>     I have a nifi instance behind a balancer ( haproxy ) that does a ssl
> termination, by presenting a certiticate to the user, and than forward
> request to nifi backend over http protocol ( without auth).
> The point is, that nifi page opens. But in the moment that I try to make
> any
> change to the canvas,
> the browser brake the connection because of the mixed-content.
>  - first request that opens nifi page is ok ( https://balancer_ip:444 )
>  - second request when I try to make changes is blocked (
> http://balancer_ip:444)
>     So, it seems that I have to run nifi fully ssl-encrypted. Here comes
> the
> problem ( and the question ):
>     Is there a way to run nifi over ssl BUT with anonymous auth, an MOST
> important thing without any key/certificate imported into the users's
> browser ?
>     I just need to run it over ssl. I'm desperate looking for a solution,
> for two days...
>     Thanks in advance !
>
>
>
> --
> View this message in context: http://apache-nifi-developer-
> list.39713.n7.nabble.com/Nifi-1-0-0-HTTPS-tp13683.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>