If you’re authenticating with 2-way ssl you’ll have to setup your load balancer to directly pass the TCP traffic through. Otherwise NiFi doesn’t see the users cert. NiFi doesn’t currently support getting the SSL Cert name from an HTTP Header like some other systems do. Usually if your using an HTTP Load Balancer you’d authenticate with SSO(SAML or OIDC) or LDAP(Username/Password)
Thanks Shawn From: Jens M. Kofoed <[email protected]> Sent: Tuesday, October 19, 2021 1:16 AM To: [email protected] Subject: Re: Nifi and Registry behind Citrix ADC. Only if you want other ways to authenticate users. I have setup our NIFI systems to talk with our MS AD via ldaps, and defined different AD groups which in nifi has different policy rules. Some people can manage every thing, others can only start/stop specific processors in specific process groups. Using personal certificates is no problem, I have some admins which also use there personal certificates. But with certificates you would have to add and manage users manually in NIFI. Users can of course being added to internal groups in NIFI and policy configured to groups. reagrd Jens Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan <[email protected]<mailto:[email protected]>>: We are currently authenticating with personal certificates, should we change that then? Stefan Jakobsson Systems Manager | Scania IT, IKCA | Scania CV AB Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 Forskargatan 20, SE-151 87 Södertälje, Sweden [email protected]<mailto:[email protected]> From: Shawn Weeks <[email protected]<mailto:[email protected]>> Sent: den 18 oktober 2021 21:35 To: [email protected]<mailto:[email protected]> Subject: RE: Nifi and Registry behind Citrix ADC. Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll also need to make sure that your proxy is passing the various HTTP headers through to NiFi and that NiFi is expecting traffic from a proxy. If you look in the nifi-user.log and nifi-app.log there might be some hints about what it didn’t like. Thanks Shawn From: Jakobsson Stefan <[email protected]<mailto:[email protected]>> Sent: Monday, October 18, 2021 2:26 PM To: [email protected]<mailto:[email protected]> Subject: RE: Nifi and Registry behind Citrix ADC. Ahh, no ADC as in applicationdelivery and loadbalancing 😊 Stefan Jakobsson Systems Manager | Scania IT, IKCA | Scania CV AB Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 Forskargatan 20, SE-151 87 Södertälje, Sweden [email protected]<mailto:[email protected]> From: Lehel Boér <[email protected]<mailto:[email protected]>> Sent: den 18 oktober 2021 15:03 To: [email protected]<mailto:[email protected]> Subject: Re: Nifi and Registry behind Citrix ADC. Hi Stefan, Please disregard my prior response. The name mislead me, I discovered ADC is not the same as Active Directory. Kind Regards, Lehel Boér Lehel Boér <[email protected]<mailto:[email protected]>> ezt írta (időpont: 2021. okt. 18., H, 14:54): Hi Stefan, Have you tried setting up NiFi with an LDAP provider? Here are a few useful links. - https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap Kind Regards, Lehel Boér Jakobsson Stefan <[email protected]<mailto:[email protected]>> ezt írta (időpont: 2021. okt. 18., H, 13:02): Hello, I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason for this is that we need Nifi be accessible from aws onto our onprem nifi installation due demands from our IT sec department Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup in the ADC with 9443 redirected to the nifiservers IP we get an error saying: This page isn’t working nifiprod.oururl.com<http://nifiprod.oururl.com> didn’t send any data. ERR_EMPTY_RESPONSE Anyone has any ideas what I should start looking at? I set the https.host to 0.0.0.0 in nifi-registry.conf. Stefan Jakobsson Systems Manager | Scania IT, IKCA | Scania CV AB Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 Forskargatan 20, SE-151 87 Södertälje, Sweden [email protected]<mailto:[email protected]>
