[
https://issues.apache.org/jira/browse/NIFI-14433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020685#comment-18020685
]
Matt Gilman commented on NIFI-14433:
------------------------------------
I think that David comment should address the issue. Please see the second
bullet in the proxy configuration instructions in the admin guide [1]. In
short, NiFi will generate a URL for each resource that exist on the canvas.
That generated URL is using the port from the incoming connection and needs to
be overridden. In addition to PUT calls you'd also have issues with DELETE
calls.
[1]
https://nifi.apache.org/nifi-docs/administration-guide.html#proxy_configuration
> NiFi UI Generates Incorrect Port (:80) for PUT Requests Behind
> SSL-Terminating Reverse Proxy (Cloud Run)
> --------------------------------------------------------------------------------------------------------
>
> Key: NIFI-14433
> URL: https://issues.apache.org/jira/browse/NIFI-14433
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 2.3.0
> Reporter: SivaAnanth Muthuveeranan
> Priority: Major
>
> * *NiFi Version:* 2.3.0 (Tested using official {{apache/nifi:2.3.0}} image
> and custom builds based on {{{}eclipse-temurin:latest{}}})
> * *Deployment:* Docker container running on Google Cloud Run
> * *Cloud Run Configuration:*
> ** Internal Ingress (Load Balancer handles external HTTPS on port 443 and
> forwards HTTP traffic to container port 8080)
> ** VPC Connector configured
> * *Proxy Headers (Sent by Cloud Run Proxy):*
> ** {{X-Forwarded-Proto: https}}
> ** {{X-Forwarded-Host: <your-cloud-run-hostname>}} (e.g.,
> {{{}nifi-internal-service-xxxxxxxxxx-uc.a.run.app{}}})
> ** {{X-Forwarded-Port: 443}}
> ** {{X-Forwarded-For: <client-ip>}}
> * *NiFi {{nifi.properties}} Configuration (Key Settings):*
> ** {{nifi.web.http.port=8080}}
> ** {{nifi.web.http.host=}} (blank, listens on all interfaces)
> ** {{nifi.web.https.port=}} (blank, HTTPS disabled on NiFi itself)
> ** {{nifi.web.https.host=}} (blank)
> ** {{nifi.web.proxy.context.path=/nifi}}
> ** *Variations Tested for {{{}nifi.web.proxy.host{}}}:*
> *** {{nifi.web.proxy.host=<your-cloud-run-hostname>:443}}
> *** {{nifi.web.proxy.host=<your-cloud-run-hostname>}} (Plan A - no port)
> *** {{nifi.web.proxy.host=}} (Blank/Unset) (Plan B)
> ** *Variations Tested for {{{}nifi.web.proxy.scheme{}}}:*
> *** Unset (Relying on {{{}X-Forwarded-Proto{}}})
> *** {{nifi.web.proxy.scheme=https}} (Plan C - combined with Plan B host
> setting)
> ** {{nifi.security.user.login.identity.provider=}} (blank, for testing)
> *Description:*
> When running NiFi 2.3.0 behind an SSL-terminating reverse proxy like Google
> Cloud Run (configured for internal ingress), the NiFi UI fails to correctly
> construct the URL for certain API requests, specifically {{PUT}} requests
> made when modifying components (e.g., saving processor configuration changes).
> While initial UI loading ({{{}GET{}}} requests) and component creation
> ({{{}POST{}}} requests) correctly use the external HTTPS URL
> ({{{}https://<hostname>/nifi-api/...{}}}), subsequent {{PUT}} requests
> generated by the UI incorrectly target port 80
> ({{{}https://<hostname>:80/nifi-api/...{}}}). This results in a browser error
> ({{{}net::ERR_SSL_PROTOCOL_ERROR{}}}) because the Cloud Run proxy expects
> HTTPS traffic on port 443, not HTTP traffic on port 80.
> This issue occurs despite various configurations of {{nifi.web.proxy.host}}
> (including setting it with port 443, without the port, or leaving it unset)
> and explicitly setting {{{}nifi.web.proxy.scheme=https{}}}. The backend
> configuration appears correct based on container startup logs, but the
> frontend JavaScript seems to ignore or misinterpret the proxy port
> information for these specific {{PUT}} calls.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
