[
https://issues.apache.org/jira/browse/NIFI-14433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18019800#comment-18019800
]
Edwin Mauricio commented on NIFI-14433:
---------------------------------------
Hi David.
I have the same error, when the POST request is sent, it works, but when is a
PUT request introduce a :80/nifi (port).
I have deployed over openshift, the first attempt was to deploy it using Apache
NiFi's default HTTPS on port 8443 and then create a service/route pointing to
the container.
8080 -> 8443.
The configuration was complicated because the OpenShift certificates don't
match those of the NiFi container. So I opted for a traditional configuration,
letting OpenShift set up the secure connection layer. In Apache NiFi, I disable
HTTPS and let it be HTTP on port 8080. So, in OpenShift, the mapping is 8080 ->
8080.
Then, a reverse proxy is configured on an upper layer that gives me a domain to
access via TCP 80 (https://myinternaldomain.int/nifi/). In this case, I can
access Apache NiFi via a secure connection without logging in and I can create
processes (POST requests). However, making PUT requests fails because it sets
port 80 ([https://myinternaldomain.int:80/nifi/).]
This is my nifi.props after run the first time (I am working with podman
containers)
{code:java}
$ cat nifi.properties
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.# Core Properties #
nifi.flow.configuration.file=./conf/flow.json.gz
nifi.flow.configuration.archive.enabled=true
nifi.flow.configuration.archive.dir=./conf/archive/
nifi.flow.configuration.archive.max.time=30 days
nifi.flow.configuration.archive.max.storage=500 MB
nifi.flow.configuration.archive.max.count=
nifi.flowcontroller.autoResumeState=true
nifi.flowcontroller.graceful.shutdown.period=10 sec
nifi.flowservice.writedelay.interval=500 ms
nifi.administrative.yield.duration=30 sec
# If a component has no work to do (is "bored"), how long should we wait before
checking again for work?
nifi.bored.yield.duration=10 millis
nifi.queue.backpressure.count=10000
nifi.queue.backpressure.size=1
GBnifi.authorizer.configuration.file=./conf/authorizers.xml
nifi.login.identity.provider.configuration.file=./conf/login-identity-providers.xml
nifi.ui.banner.text=
nifi.nar.library.directory=./lib
nifi.nar.library.autoload.directory=/opt/nifi/nifi-current/nar_extensions
nifi.nar.working.directory=./work/nar/
nifi.nar.unpack.uber.jar=false
nifi.upload.working.directory=./work/uploads#####################
# Python Extensions #
#####################
# Uncomment in order to enable Python Extensions.
nifi.python.command=python3
nifi.python.framework.source.directory=./python/framework
nifi.python.extensions.source.directory.default=/opt/nifi/nifi-current/python_extensions
nifi.python.working.directory=./work/python
nifi.python.max.processes=100
nifi.python.max.processes.per.extension.type=10####################
# State Management #
####################
nifi.state.management.configuration.file=./conf/state-management.xml
# The ID of the local state provider
nifi.state.management.provider.local=local-provider
# The ID of the cluster-wide state provider. This will be ignored if NiFi is
not clustered but must be populated if running in a cluster.
nifi.state.management.provider.cluster=zk-provider
# The Previous Cluster State Provider from which the framework will load
Cluster State when the current Cluster Provider has no entries
nifi.state.management.provider.cluster.previous=
# Specifies whether or not this instance of NiFi should run an embedded
ZooKeeper server
nifi.state.management.embedded.zookeeper.start=false
# Properties file that provides the ZooKeeper properties to use if
<nifi.state.management.embedded.zookeeper.start> is set to true
nifi.state.management.embedded.zookeeper.properties=./conf/zookeeper.properties#
Database Settings
nifi.database.directory=./database_repository# FlowFile Repository
nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository
nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog
nifi.flowfile.repository.directory=./flowfile_repository
nifi.flowfile.repository.checkpoint.interval=20 secs
nifi.flowfile.repository.always.sync=false
nifi.flowfile.repository.retain.orphaned.flowfiles=truenifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager
nifi.queue.swap.threshold=20000# Content Repository
nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository
nifi.content.claim.max.appendable.size=50 KB
nifi.content.repository.directory.default=./content_repository
nifi.content.repository.archive.max.retention.period=3 hours
nifi.content.repository.archive.max.usage.percentage=90%
nifi.content.repository.archive.enabled=true
nifi.content.repository.always.sync=false# Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository#
Persistent Provenance Repository Properties
nifi.provenance.repository.directory.default=./provenance_repository
nifi.provenance.repository.max.storage.time=30 days
nifi.provenance.repository.max.storage.size=10 GB
nifi.provenance.repository.rollover.time=10 mins
nifi.provenance.repository.rollover.size=100 MB
nifi.provenance.repository.query.threads=2
nifi.provenance.repository.index.threads=2
nifi.provenance.repository.compress.on.rollover=true
nifi.provenance.repository.always.sync=false
# Comma-separated list of fields. Fields that are not indexed will not be
searchable. Valid fields are:
# EventType, FlowFileUUID, Filename, TransitURI, ProcessorID,
AlternateIdentifierURI, Relationship, Details
nifi.provenance.repository.indexed.fields=EventType, FlowFileUUID, Filename,
ProcessorID, Relationship
# FlowFile Attributes that should be indexed and made searchable. Some
examples to consider are filename, uuid, mime.type
nifi.provenance.repository.indexed.attributes=
# Large values for the shard size will result in more Java heap usage when
searching the Provenance Repository
# but should provide better performance
nifi.provenance.repository.index.shard.size=500 MB
# Indicates the maximum length that a FlowFile attribute can be when retrieving
a Provenance Event from
# the repository. If the length of any attribute exceeds this value, it will be
truncated when the event is retrieved.
nifi.provenance.repository.max.attribute.length=65536
nifi.provenance.repository.concurrent.merge.threads=2
# Volatile Provenance Respository Properties
nifi.provenance.repository.buffer.size=100000# Component and Node Status
History Repository
nifi.components.status.repository.implementation=org.apache.nifi.controller.status.history.VolatileComponentStatusRepository#
Volatile Status History Repository Properties
nifi.components.status.repository.buffer.size=1440
nifi.components.status.snapshot.frequency=1 min# QuestDB Status History
Repository Properties
nifi.status.repository.questdb.persist.node.days=14
nifi.status.repository.questdb.persist.component.days=3
nifi.status.repository.questdb.persist.location=./status_repository# NAR
Persistence Properties
nifi.nar.persistence.provider.implementation=org.apache.nifi.nar.StandardNarPersistenceProvider
nifi.nar.persistence.provider.properties.directory=./nar_repository# Asset
Management
nifi.asset.manager.implementation=org.apache.nifi.asset.StandardAssetManager
nifi.asset.manager.properties.directory=./assets# Site to Site properties
nifi.remote.input.host=nebdf-be-dataextractor-develop-5df4c9b7f-s8nlp
nifi.remote.input.secure=false
nifi.remote.input.socket.port=10000
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs# web properties #
############################################## For security, NiFi will present
the UI on 127.0.0.1 and only be accessible through this loopback interface.
# Be aware that changing these properties may affect how your instance can be
accessed without any restriction.
# We recommend configuring HTTPS instead. The administrators guide provides
instructions on how to do this.nifi.web.http.host=0.0.0.0
nifi.web.http.port=8080
nifi.web.http.network.interface.default=#############################################nifi.web.https.host=
nifi.web.https.port=
nifi.web.https.network.interface.default=
nifi.web.https.application.protocols=h2 http/1.1
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=
nifi.web.max.content.size=
nifi.web.max.requests.per.second=30000
nifi.web.max.access.token.requests.per.second=25
nifi.web.request.timeout=60 secs
nifi.web.request.ip.whitelist=
nifi.web.should.send.server.version=true
nifi.web.request.log.format=%{client}a - %u %t "%r" %s %O "%{Referer}i"
"%{User-Agent}i"# Filter JMX MBeans available through the System Diagnostics
REST API
nifi.web.jmx.metrics.allowed.filter.pattern=# Include or Exclude TLS Cipher
Suites for HTTPS
nifi.web.https.ciphersuites.include=
nifi.web.https.ciphersuites.exclude=# security properties #
nifi.sensitive.props.key=1UaYIKocQ334KAanlrjVKLKQj5SdufTC
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256nifi.security.autoreload.enabled=false
nifi.security.autoreload.interval=10 secs
nifi.security.keystore=
nifi.security.keystoreType=
nifi.security.keystorePasswd=
nifi.security.keyPasswd=
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
nifi.security.user.authorizer=single-user-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider=single-user-provider
nifi.security.user.jws.key.rotation.period=PT1H
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url=
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=
nifi.security.user.oidc.client.secret=
nifi.security.user.oidc.preferred.jwsalgorithm=
nifi.security.user.oidc.additional.scopes=offline_access
nifi.security.user.oidc.claim.identifying.user=
nifi.security.user.oidc.fallback.claims.identifying.user=
nifi.security.user.oidc.claim.groups=groups
nifi.security.user.oidc.truststore.strategy=JDK
nifi.security.user.oidc.token.refresh.window=60 secs# SAML Properties #
nifi.security.user.saml.idp.metadata.url=
nifi.security.user.saml.sp.entity.id=
nifi.security.user.saml.identity.attribute.name=
nifi.security.user.saml.group.attribute.name=
nifi.security.user.saml.request.signing.enabled=false
nifi.security.user.saml.want.assertions.signed=true
nifi.security.user.saml.signature.algorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
nifi.security.user.saml.authentication.expiration=12 hours
nifi.security.user.saml.single.logout.enabled=false
nifi.security.user.saml.http.client.truststore.strategy=JDK
nifi.security.user.saml.http.client.connect.timeout=30 secs
nifi.security.user.saml.http.client.read.timeout=30 secs# Identity Mapping
Properties #
# These properties allow normalizing user identities such that identities
coming from different identity providers
# (certificates, LDAP, Kerberos) can be treated the same internally in NiFi.
The following example demonstrates normalizing
# DNs from certificates and principals from Kerberos into a common identity
string:
#
# nifi.security.identity.mapping.pattern.dn=^CN=(.*?), OU=(.*?), O=(.*?),
L=(.*?), ST=(.*?), C=(.*?)$
# nifi.security.identity.mapping.value.dn=$1@$2
# nifi.security.identity.mapping.transform.dn=NONE
# nifi.security.identity.mapping.pattern.kerb=^(.*?)/instance@(.*?)$
# nifi.security.identity.mapping.value.kerb=$1@$2
# nifi.security.identity.mapping.transform.kerb=UPPER# Group Mapping Properties
#
# These properties allow normalizing group names coming from external sources
like LDAP. The following example
# lowercases any group name.
#
# nifi.security.group.mapping.pattern.anygroup=^(.*)$
# nifi.security.group.mapping.value.anygroup=$1
# nifi.security.group.mapping.transform.anygroup=LOWER# cluster common
properties (all nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec
nifi.cluster.protocol.heartbeat.missable.max=8
nifi.cluster.protocol.is.secure=false# cluster node properties (only configure
for cluster nodes) #
nifi.cluster.is.node=false
nifi.cluster.leader.election.implementation=CuratorLeaderElectionManager
nifi.cluster.node.address=nebdf-be-dataextractor-develop-5df4c9b7f-s8nlp
nifi.cluster.node.protocol.port=
nifi.cluster.node.protocol.max.threads=50
nifi.cluster.node.event.history.size=25
nifi.cluster.node.connection.timeout=5 sec
nifi.cluster.node.read.timeout=5 sec
nifi.cluster.node.max.concurrent.requests=100
nifi.cluster.firewall.file=
nifi.cluster.flow.election.max.wait.time=5 mins
nifi.cluster.flow.election.max.candidates=# cluster load balancing properties #
nifi.cluster.load.balance.host=
nifi.cluster.load.balance.port=6342
nifi.cluster.load.balance.connections.per.node=1
nifi.cluster.load.balance.max.thread.count=8
nifi.cluster.load.balance.comms.timeout=30 sec# zookeeper properties, used for
cluster management #
nifi.zookeeper.connect.string=
nifi.zookeeper.connect.timeout=10 secs
nifi.zookeeper.session.timeout=10 secs
nifi.zookeeper.root.node=/nifi
nifi.zookeeper.client.secure=false
nifi.zookeeper.security.keystore=
nifi.zookeeper.security.keystoreType=
nifi.zookeeper.security.keystorePasswd=
nifi.zookeeper.security.truststore=
nifi.zookeeper.security.truststoreType=
nifi.zookeeper.security.truststorePasswd=
nifi.zookeeper.jute.maxbuffer=# Zookeeper properties for the authentication
scheme used when creating acls on znodes used for cluster management
# Values supported for nifi.zookeeper.auth.type are "default", which will apply
world/anyone rights on znodes
# and "sasl" which will give rights to the sasl/kerberos identity used to
authenticate the nifi node
# The identity is determined using the value in nifi.kerberos.service.principal
and the removeHostFromPrincipal
# and removeRealmFromPrincipal values (which should align with the
kerberos.removeHostFromPrincipal and kerberos.removeRealmFromPrincipal
# values configured on the zookeeper server).
nifi.zookeeper.auth.type=
nifi.zookeeper.kerberos.removeHostFromPrincipal=
nifi.zookeeper.kerberos.removeRealmFromPrincipal=# kerberos #
nifi.kerberos.krb5.file=# kerberos service principal #
nifi.kerberos.service.principal=
nifi.kerberos.service.keytab.location=# analytics properties #
nifi.analytics.predict.enabled=false
nifi.analytics.predict.interval=3 mins
nifi.analytics.query.interval=5 mins
nifi.analytics.connection.model.implementation=org.apache.nifi.controller.status.analytics.models.OrdinaryLeastSquares
nifi.analytics.connection.model.score.name=rSquared
nifi.analytics.connection.model.score.threshold=.90# kubernetes #
nifi.cluster.leader.election.kubernetes.lease.prefix=# flow analysis properties
nifi.registry.check.for.rule.violations.before.commit=# runtime monitoring
properties
nifi.monitor.long.running.task.schedule=
nifi.monitor.long.running.task.threshold=# Enable automatic diagnostic at
shutdown.
nifi.diagnostics.on.shutdown.enabled=false# Include verbose diagnostic
information.
nifi.diagnostics.on.shutdown.verbose=false# The location of the diagnostics
folder.
nifi.diagnostics.on.shutdown.directory=./diagnostics# The maximum number of
files permitted in the directory. If the limit is exceeded, the oldest files
are deleted.
nifi.diagnostics.on.shutdown.max.filecount=10# The diagnostics folder's maximum
permitted size in bytes. If the limit is exceeded, the oldest files are deleted.
nifi.diagnostics.on.shutdown.max.directory.size=10 MB# Performance tracking
properties
## Specifies what percentage of the time we should track the amount of time
processors are using CPU, reading from/writing to content repo, etc.
## This can be useful to understand which components are the most expensive and
to understand where system bottlenecks may be occurring.
## The value must be in the range of 0 (inclusive) to 100 (inclusive). A larger
value will produce more accurate results, while a smaller value may be
## less expensive to compute.
## Results can be obtained by running "nifi.sh diagnostics <filename>" and then
inspecting the produced file.
nifi.performance.tracking.percentage=0# NAR Provider Properties #
# These properties allow configuring one or more NAR providers. A NAR provider
retrieves NARs from an external source
# and copies them to the directory specified by
nifi.nar.library.autoload.directory.
#
# Each NAR provider property follows the format:
# nifi.nar.library.provider.<identifier>.<property-name>
#
# Each NAR provider must have at least one property named "implementation".
#
# Example HDFS NAR Provider:
#
nifi.nar.library.provider.hdfs.implementation=org.apache.nifi.flow.resource.hadoop.HDFSExternalResourceProvider
#
nifi.nar.library.provider.hdfs.resources=/path/to/core-site.xml,/path/to/hdfs-site.xml
# nifi.nar.library.provider.hdfs.storage.location=hdfs://hdfs-location
# nifi.nar.library.provider.hdfs.source.directory=/nars
# [email protected]
# nifi.nar.library.provider.hdfs.kerberos.keytab=/path/to/nifi.keytab
# nifi.nar.library.provider.hdfs.kerberos.password=
#
# Example NiFi Registry NAR Provider:
#
nifi.nar.library.provider.nifi-registry.implementation=org.apache.nifi.registry.extension.NiFiRegistryExternalResourceProvider
# nifi.nar.library.provider.nifi-registry.url=http://localhost:18080{code}
The compose is this:
{code:java}
# dev environment
version: "3"
services:
nifi:
image: apache/nifi:2.5.0
container_name: nifi
environment:
- NIFI_WEB_HTTP_PORT=8080
- NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER=single-user-provider
- SINGLE_USER_CREDENTIALS_USERNAME=admin2025
- SINGLE_USER_CREDENTIALS_PASSWORD=admin2025
ports:
- 8080:8080
- 8443:8443 # just to see if works on both, but it does not.
volumes:
- nifi_data:/opt/nifi/nifi-current:
nifi_data:
{code}
> NiFi UI Generates Incorrect Port (:80) for PUT Requests Behind
> SSL-Terminating Reverse Proxy (Cloud Run)
> --------------------------------------------------------------------------------------------------------
>
> Key: NIFI-14433
> URL: https://issues.apache.org/jira/browse/NIFI-14433
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 2.3.0
> Reporter: SivaAnanth Muthuveeranan
> Priority: Major
>
> * *NiFi Version:* 2.3.0 (Tested using official {{apache/nifi:2.3.0}} image
> and custom builds based on {{{}eclipse-temurin:latest{}}})
> * *Deployment:* Docker container running on Google Cloud Run
> * *Cloud Run Configuration:*
> ** Internal Ingress (Load Balancer handles external HTTPS on port 443 and
> forwards HTTP traffic to container port 8080)
> ** VPC Connector configured
> * *Proxy Headers (Sent by Cloud Run Proxy):*
> ** {{X-Forwarded-Proto: https}}
> ** {{X-Forwarded-Host: <your-cloud-run-hostname>}} (e.g.,
> {{{}nifi-internal-service-xxxxxxxxxx-uc.a.run.app{}}})
> ** {{X-Forwarded-Port: 443}}
> ** {{X-Forwarded-For: <client-ip>}}
> * *NiFi {{nifi.properties}} Configuration (Key Settings):*
> ** {{nifi.web.http.port=8080}}
> ** {{nifi.web.http.host=}} (blank, listens on all interfaces)
> ** {{nifi.web.https.port=}} (blank, HTTPS disabled on NiFi itself)
> ** {{nifi.web.https.host=}} (blank)
> ** {{nifi.web.proxy.context.path=/nifi}}
> ** *Variations Tested for {{{}nifi.web.proxy.host{}}}:*
> *** {{nifi.web.proxy.host=<your-cloud-run-hostname>:443}}
> *** {{nifi.web.proxy.host=<your-cloud-run-hostname>}} (Plan A - no port)
> *** {{nifi.web.proxy.host=}} (Blank/Unset) (Plan B)
> ** *Variations Tested for {{{}nifi.web.proxy.scheme{}}}:*
> *** Unset (Relying on {{{}X-Forwarded-Proto{}}})
> *** {{nifi.web.proxy.scheme=https}} (Plan C - combined with Plan B host
> setting)
> ** {{nifi.security.user.login.identity.provider=}} (blank, for testing)
> *Description:*
> When running NiFi 2.3.0 behind an SSL-terminating reverse proxy like Google
> Cloud Run (configured for internal ingress), the NiFi UI fails to correctly
> construct the URL for certain API requests, specifically {{PUT}} requests
> made when modifying components (e.g., saving processor configuration changes).
> While initial UI loading ({{{}GET{}}} requests) and component creation
> ({{{}POST{}}} requests) correctly use the external HTTPS URL
> ({{{}https://<hostname>/nifi-api/...{}}}), subsequent {{PUT}} requests
> generated by the UI incorrectly target port 80
> ({{{}https://<hostname>:80/nifi-api/...{}}}). This results in a browser error
> ({{{}net::ERR_SSL_PROTOCOL_ERROR{}}}) because the Cloud Run proxy expects
> HTTPS traffic on port 443, not HTTP traffic on port 80.
> This issue occurs despite various configurations of {{nifi.web.proxy.host}}
> (including setting it with port 443, without the port, or leaving it unset)
> and explicitly setting {{{}nifi.web.proxy.scheme=https{}}}. The backend
> configuration appears correct based on container startup logs, but the
> frontend JavaScript seems to ignore or misinterpret the proxy port
> information for these specific {{PUT}} calls.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
