Github user ruckc commented on the issue:
https://github.com/apache/nifi/pull/2944
So, i can try adjusting everything as needed, and close this PR and create
a new one from a branch with the right name.
On the actual details. S2S doesn't work behind a reverse proxy currently.
So, then the arguable right answer would be to support pulling certificates
from a Reverse Proxy Request Header, and try to keep X509 Authentication
working as it is currently.
So S2S, this would only apply to HTTP S2S API. I'm not very familiar with
this, does the S2S HTTP API all in a certain context path i.e. /nifi-api/s2s?
If the UI never accesses that context path, then X509 Authentication only needs
to be enabled on that path, not the entire server. We should be able to do
that by triggering an SSL/TLS renegotiation needing/wanting client
authentication.
---
