[
https://issues.apache.org/jira/browse/NIFI-14754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dirk Hennig updated NIFI-14754:
-------------------------------
Description:
I try to install NiFi 2.4 behind an inbound frontend loadbalancer/proxy
(haproxy) with its own DNS name for the NiFi secured cluster eg.
cluster.external.domain port 8443
The nifi nodes in the backend have their internal hostnames eg.
node1.internal.domain on port 8443
The haproxy has the configuration (shortened):
frontend dmaas-drcc-http
bind *:8443 ssl crt /etc/haproxy/ssl/cluster.external.domain.pem
acl dns_drccrat hdr(host) -m beg nifi-p-drcc-rat.bdps.vodafone.com
acl path_nifi path -i -m beg /nifi
use_backend nifi_drccrat_backend if dns_drccrat path_nifi
backend nifi_drccrat_backend
http-response set-header X-ProxyScheme: "https"
http-response set-header X-ProxyHost: cluster.external.domain
http-response set-header X-ProxyPort: 8443
http-response set-header X-ProxyContextPath: /nifi
server node1.internal.domain node1.internal.domain:8443/nifi check ssl
verify none cookie 111...
server node2.internal.domain node2.internal.domain:8443/nifi check ssl
verify none cookie 222...
server node3.internal.domain node3.internal.domain:8443/nifi check ssl
verify none cookie 333...
The NiFi nodes hostnames are configured in nifi.properties as following:
nifi.web.https.host=node1.internal.domain
nifi.web.https.port=8443
nifi.web.proxy.context.path=/nifi
nifi.web.proxy.host=cluster.external.domain:8443, node1.internal.domain:8443
I can login to the nifi cluster and browse the canvas and settings as all http
GET URLs which are send to the browser are generated with the correct external
dns name cluster.external.domain:8443
But there are some exceptions, URLs which are generated as PUT or OPTIONS
methods, have the wrong hostname and port. They just have the
node1.internal.domain and the default https port. For this reasons this
requests cannot reach the backend because they try to bypass the haproxy with
the wrong port
Example:
The request to modify policies https:/cluster.external.domain
port:8443/nifi-api/flow/about returns
{"about":\{"title":"NiFi","version":"2.4.0","uri":"https://node1.internal.domain:443/nifi-api/","contentViewerUrl":"node1.internal.domain:443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
But it should return
{"about":\{"title":"NiFi","version":"2.4.0","uri":"https://cluster.external.domain:8443/nifi-api/","contentViewerUrl":"cluster.external.domain:8443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
All subsequend nifi-api URLs using PUT or OPTIONS method are then generated by
the GUI with the wrong internal hostname and will fail.
In NiFi 1.x this setup was working fine, in NiFi 2.x this stopped working.
I am stuck now with the deployment. Please can you assist here?
Many thanks in advance
was:
I try to install NiFi 2.4 behind an inbound frontend loadbalancer/proxy
(haproxy) with its own DNS name for the NiFi secured cluster eg.
cluster.external.domain port 8443
The nifi nodes in the backend have their internal hostnames eg.
node1.internal.domain on port 8443
The haproxy has the configuration (shortened):
frontend dmaas-drcc-http
bind *:8443 ssl crt /etc/haproxy/ssl/cluster.external.domain.pem
acl dns_drccrat hdr(host) -m beg nifi-p-drcc-rat.bdps.vodafone.com
acl path_nifi path -i -m beg /nifi
use_backend nifi_drccrat_backend if dns_drccrat path_nifi
backend nifi_drccrat_backend
http-response set-header X-ProxyScheme: "https"
http-response set-header X-ProxyHost: cluster.external.domain
http-response set-header X-ProxyPort: 8443
http-response set-header X-ProxyContextPath: /nifi
server node1.internal.domain node1.internal.domain:8443/nifi check ssl
verify none cookie 111...
server node2.internal.domain node2.internal.domain:8443/nifi check ssl
verify none cookie 222...
server node3.internal.domain node3.internal.domain:8443/nifi check ssl
verify none cookie 333...
The NiFi nodes hostnames are configured in nifi.properties as following:
nifi.web.https.host=node1.internal.domain
nifi.web.https.port=8443
nifi.web.proxy.context.path=/nifi
nifi.web.proxy.host=cluster.external.domain:8443, node1.internal.domain:8443
I can login to the nifi cluster and browse the canvas and settings as all http
GET URLs which are send to the browser are generated with the correct external
dns name cluster.external.domain:8443
But there are some exceptions, URLs which are generated as PUT or OPTIONS
methods, have the wrong hostname and port. They just have the
node1.internal.domain and the default https port. For this reasons this
requests cannot reach the backend because they try to bypass the haproxy with
the wrong port
Example:
The request to modify policies https:/cluster.external.domain
port:8443/nifi-api/flow/about returns
{"about":\{"title":"NiFi","version":"2.4.0","uri":"https://node1.internal.domain:443/nifi-api/","contentViewerUrl":"node1.internal.domain:443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
But it should return
{"about":\{"title":"NiFi","version":"2.4.0","uri":"https://cluster.external.domain:8443/nifi-api/","contentViewerUrl":"cluster.external.domain:8443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
All subsequend nifi-api URLs are then generated by the GUI with the wrong
internal hostname and will fail.
In NiFi 1.x this setup was working fine, in NiFi 2.x this stopped working.
I am stuck now with the deployment. Please can you assist here?
Many thanks in advance
> nifi-api ignores nifi.web.proxy.host for PUT and OPTIONS requests
> -----------------------------------------------------------------
>
> Key: NIFI-14754
> URL: https://issues.apache.org/jira/browse/NIFI-14754
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi API
> Affects Versions: 2.4.0
> Reporter: Dirk Hennig
> Priority: Major
>
> I try to install NiFi 2.4 behind an inbound frontend loadbalancer/proxy
> (haproxy) with its own DNS name for the NiFi secured cluster eg.
> cluster.external.domain port 8443
> The nifi nodes in the backend have their internal hostnames eg.
> node1.internal.domain on port 8443
> The haproxy has the configuration (shortened):
> frontend dmaas-drcc-http
> bind *:8443 ssl crt /etc/haproxy/ssl/cluster.external.domain.pem
> acl dns_drccrat hdr(host) -m beg nifi-p-drcc-rat.bdps.vodafone.com
> acl path_nifi path -i -m beg /nifi
> use_backend nifi_drccrat_backend if dns_drccrat path_nifi
> backend nifi_drccrat_backend
> http-response set-header X-ProxyScheme: "https"
> http-response set-header X-ProxyHost: cluster.external.domain
> http-response set-header X-ProxyPort: 8443
> http-response set-header X-ProxyContextPath: /nifi
> server node1.internal.domain node1.internal.domain:8443/nifi check
> ssl verify none cookie 111...
> server node2.internal.domain node2.internal.domain:8443/nifi check
> ssl verify none cookie 222...
> server node3.internal.domain node3.internal.domain:8443/nifi check
> ssl verify none cookie 333...
> The NiFi nodes hostnames are configured in nifi.properties as following:
> nifi.web.https.host=node1.internal.domain
> nifi.web.https.port=8443
> nifi.web.proxy.context.path=/nifi
> nifi.web.proxy.host=cluster.external.domain:8443, node1.internal.domain:8443
> I can login to the nifi cluster and browse the canvas and settings as all
> http GET URLs which are send to the browser are generated with the correct
> external dns name cluster.external.domain:8443
> But there are some exceptions, URLs which are generated as PUT or OPTIONS
> methods, have the wrong hostname and port. They just have the
> node1.internal.domain and the default https port. For this reasons this
> requests cannot reach the backend because they try to bypass the haproxy with
> the wrong port
> Example:
> The request to modify policies https:/cluster.external.domain
> port:8443/nifi-api/flow/about returns
> {"about":\{"title":"NiFi","version":"2.4.0","uri":"https://node1.internal.domain:443/nifi-api/","contentViewerUrl":"node1.internal.domain:443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
> But it should return
> {"about":\{"title":"NiFi","version":"2.4.0","uri":"https://cluster.external.domain:8443/nifi-api/","contentViewerUrl":"cluster.external.domain:8443/nifi/#/content-viewer","timezone":"CEST","buildTag":"rel/nifi-2.4.0"}}
> All subsequend nifi-api URLs using PUT or OPTIONS method are then generated
> by the GUI with the wrong internal hostname and will fail.
> In NiFi 1.x this setup was working fine, in NiFi 2.x this stopped working.
> I am stuck now with the deployment. Please can you assist here?
> Many thanks in advance
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
