Hi, Your understanding is correct: In order to get the connections you want, NGINX will have to be recognized by NiFi as an authorized proxy. The client certificate DN will be used for each request, provided NGINX terminates that TLS connection from the client and passes the DN of the certificate in the X-ProxiedEntitiesChain header to NiFi.
There are a few examples here: https://github.com/ijokarumawak/nifi-reverseproxy/tree/master/nginx <https://github.com/ijokarumawak/nifi-reverseproxy/tree/master/nginx> Here is an example of configuring NGINX to pass the client Cert DN to NiFi: https://github.com/ijokarumawak/nifi-reverseproxy/blob/master/nginx/standalone-secure-http/nginx.conf <https://github.com/ijokarumawak/nifi-reverseproxy/blob/master/nginx/standalone-secure-http/nginx.conf> The FQDN of NGINX should match the external hostname of the machine (i.e., what the client uses to send requests). Hope this helps, Kevin > On Sep 16, 2020, at 02:04, scotty <yt...@msn.com> wrote: > > Hi Vijay, > > After realizing that the reverse proxy was the problem, I've got NiFi, > standalone, secured with certificates by removing the reverse proxy out of > the mix. > > Is there some example, somewhere, of using a NGINX reverse proxy so that I > can have the following setup? > > client > https > NGINX > https > NiFi > > My understanding is that NGINX needs a client certificate and that the FQDN > of that certificate needs to be setup to proxy user requests in the NiFi UI. > I've done both of these things as well as setup the nifi.web.proxy.host and > nifi.web.proxy.context.path in the nifi.properties file. > > Is there a specific FQDN that NGINX is supposed to have? > > Thanks. > > > > -- > Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/
