Hey Scott, Assuming you are using two-way TLS with client certificates for authentication, I recommend configuring your ELB for TCP passthrough so that the TLS handshake is between the end-client and the NiFi Registry Server (in other words, no decryption/termination of the TLS connection happens in the ELB). If you are using some other form of authentication (e.g., LDAP), you will need to configure your ELB to trust the self-signed key NiFi Registry is using. I'm not sure how to do that as I've never run an ELB with that configuration before.
Also, just a note about using an ELB with NiFi Registry: NiFi Registry is currently only supports single-instance use as persisted data and in-memory state is not synced between multiple instances. Are you hoping to use the ELB for actual load balancing, or is it just to take advantage of other ELB features, such as forwarding and security group rules? If the plan is to load balance multiple Registry instances, just be aware that you will probably run into some unexpected behavior. (As you mentioned using authorization, that is one case where I know the in-memory cache of the persisted data will not refresh across instances, so even if you were using some sort of shared network file system attached to multiple Registry instances, such as EFS, it would not work the way you hope.) Hope this helps, Kevin On 3/19/18, 10:20, "Scott Howell" <[email protected]> wrote: Thanks for the quick response. A couple of things I am seeing. 1. There is no error, I don’t see anything in the logs once the service comes up. This is because the health check is not even hitting the instance when secure. 2. Nothing interesting in the nifi-registry-app.logs. That was my concern because on my nifi instance I can see the health check hitting the instance from the ELB. This does not happen on the nifi-registry instance. I see the service startup and it tells me what domain and port I can access the UI but nothing else after that. 3. When I am on an instances in the same private subnet I am able to curl to the instance I get the TLS SSL which tells me the keystore is on the server. I am using a JKS keystore that is self-signed by the company I work for. > On Mar 19, 2018, at 9:10 AM, Bryan Bende <[email protected]> wrote: > > Hello, > > What error are you getting when you cannot access the UI? > > Is there anything interesting in nifi-registry-app.log regarding > authentication/authorization when this happens? > > Can you access the UI securely without going through the ELB? > > Thanks, > > Bryan > > > On Mon, Mar 19, 2018 at 10:05 AM, Scott Howell <[email protected]> wrote: >> I was able to stand up nifi-registry behind an AWS ELB non-secure. Everything was working great and was able to access the UI anonymously. I set up the authorization just like on my nifi instances along with the authorizers and identity-provider. The service comes up without errors and everything looks good but the health check does not pass and I cannot access the UI to login. I was wondering if anyone else has ran into this issue using nifi-registry.
