Hi,
I tried the patch by adjusting the image, and it seems it is not working if
it is running behind a proxy.
COPY --chown=nifi:nifi start.sh /opt/nifi/scripts/scripts/start.sh
COPY --chown=nifi:nifi secure.sh /opt/nifi/scripts/scripts/secure.sh
Nifi starts but I am unable to access it when it runs behind a proxy.
System Error The request contained an invalid host header [
publichostname:8444] in the request [/nifi/]. Check for request
manipulation or third-party intercept. Valid host headers are [empty] or:
- 127.0.0.1
- 127.0.0.1:8443
- localhost
- localhost:8443
- [::1]
- [::1]:8443
- 3cdcc5c8b343
- 3cdcc5c8b343:8443
- 172.18.0.2
- 172.18.0.2:8443
y adjusting the image as:
environment:
SINGLE_USER_CREDENTIALS_USERNAME: ${SINGLE_USER_CREDENTIALS_USERNAME}
SINGLE_USER_CREDENTIALS_PASSWORD: ${SINGLE_USER_CREDENTIALS_PASSWORD}
NIFI_SENSITIVE_PROPS_KEY: ${NIFI_SENSITIVE_PROPS_KEY}
NIFI_WEB_HTTPS_HOST: ${NIFI_INTERNAL_HOST}
NIFI_WEB_PROXY_HOST: ${PUBLIC_HOSTNAME}:${NIFI_PUBLIC_PORT}
It seems the certificate is not created properly when nifi is running
behind a proxy.
Juan
On Sun, 18 Jul 2021 at 22:56, Joey Frazee <[email protected]> wrote:
> Yeah, this wasn’t being handled right anymore. I put up a PR for this on
> Friday.
>
> https://github.com/apache/nifi/pull/5226
>
> If you can give it a test that’d be a big help.
>
> Best,
>
> -joey
>
> On Jul 18, 2021, at 6:50 PM, Juan Pablo Gardella <
> [email protected]> wrote:
>
>
> Hello all,
>
> I am trying *Single User Credentials* with Docker but it does not work
> because it does not allow set up nifi.web.proxy.host[1] variable. The
> start script disallow setting the host:
>
> if [ -n "${SINGLE_USER_CREDENTIALS_USERNAME}" ] && [ -n "
> ${SINGLE_USER_CREDENTIALS_PASSWORD}" ]; then
> ${NIFI_HOME}/bin/nifi.sh set-single-user-credentials "
> ${SINGLE_USER_CREDENTIALS_USERNAME}" "${SINGLE_USER_CREDENTIALS_PASSWORD}"
> fi
>
> . "${scripts_dir}/update_cluster_state_management.sh"
>
> # Check if we are secured or unsecured
> case ${AUTH} in
> tls)
> echo 'Enabling Two-Way SSL user authentication'
> . "${scripts_dir}/secure.sh"
> ;;
> ldap)
> echo 'Enabling LDAP user authentication'
> # Reference ldap-provider in properties
> export NIFI_SECURITY_USER_LOGIN_IDENTITY_PROVIDER="ldap-provider"
>
> . "${scripts_dir}/secure.sh"
> . "${scripts_dir}/update_login_providers.sh"
> ;;
> *)
> if [ ! -z "${NIFI_WEB_PROXY_HOST}" ]; then
> echo 'NIFI_WEB_PROXY_HOST was set but NiFi is not configured to run in a
> secure mode. Will not update nifi.web.proxy.host.'
> fi
> ;;
> esac
>
> Why does the echo print that is not in secure mode?
>
> Thanks,
> Juan
> [1]
>
> A comma separated list of allowed HTTP Host header values to consider when
> NiFi is running securely and will be receiving requests to a different
> host[:port] than it is bound to. For example, when running in a Docker
> container or behind a proxy (e.g. localhost:18443, proxyhost:443). By
> default, this value is blank meaning NiFi should only allow requests sent
> to the host[:port] that NiFi is bound to.
>
>
>
