Awesome. If I understand your set up correctly, you are sending a HTTP request from the proxy to the NiFi instance. NiFi does support reading user details from an HTTP header but only when authenticating a user (or your proxy in this case). Additionally, the admin must grant the proxy has having ROLE_PROXY in order to authorize it to proxy user requests. NiFi currently only supports user authentication with two way SSL using certificates. There is discussion ongoing about adding support for other authentication models [1].
If a HTTP request is received, it will treat the user as anonymous. Matt [1] https://cwiki.apache.org/confluence/display/NIFI/Pluggable+Authentication On Fri, Sep 11, 2015 at 8:39 AM, Edgardo Vega <[email protected]> wrote: > Matt, > > It worked great. I just added those headers and it all worked. Follow on > question is about ssl user authentication through a proxy. Can you add > headers that nifi will use to authenticate a user so you can do terminate > the ssl connection at the proxy? > > Cheers, > > Edgardo > > On Thu, Sep 10, 2015 at 6:46 PM, Matt Gilman <[email protected]> > wrote: > > > Edgardo, > > > > There are a couple of key items to know when standing up NiFi behind a > > proxy. > > > > 1) NiFi is comprised of a number of web applications (web ui, web api, > > documentation, custom ui's, etc). So you'll need to set up your mapping > to > > the root path. That way all context paths are pass through accordingly. > For > > instance, if you only mapped the /nifi context path, the custom ui for > > Update Attributes will not work since it's available at > > /update-attribute-ui-<version>. > > > > 2) NiFi's rest api will generate uri's for each component on the graph. > > Since your coming through a proxy, you'll need to override certain > elements > > of the uri's being generated. This is why your able to view the graph, > but > > you cannot modify anything. It attempting to call back directly to your > > NiFi, not through your proxy. You can override the elements of the uri by > > adding the following HTTP headers when your proxy generates the HTTP > > request to the NiFi instance: > > > > X-ProxyScheme - the scheme to use to connect to your proxy (https in this > > case) > > X-ProxyHost - the host of your proxy > > X-ProxyPort - the port your proxy is listening on > > X-ProxyContextPath - the path you've configured to map to the NiFi > instance > > > > I've never done the proxying through nginx so please let me know if this > > helps. > > > > Matt > > > > On Thu, Sep 10, 2015 at 6:04 PM, Edgardo Vega <[email protected]> > > wrote: > > > > > I am trying to setup Nifi unsung nginx as a reverse proxy. I would like > > > nginx to terminate the ssl connection and then run nifi on http. I have > > > tried to set it up but ran into an issue were any viewing operation > works > > > but cannot make any changes (move, start, stop, etc). The browser > > complains > > > about mixed content. > > > > > > So how do you configure nifi to work correctly in this scenario? > > > > > > > > > -- > > > Cheers, > > > > > > Edgardo > > > > > > Sent from Gmail Mobile > > > > > > > > > -- > Cheers, > > Edgardo >
