Hi Jim, Good adjustment on the security group inbound rules.
The error page is the result of NiFi receiving an unexpected HTTP Host header, not matching one of the expected values. For this to work, it is possible to pass the external DNS name as the value of the NIFI_WEB_PROXY_HOST environment variable. This can be specified in the docker run command as follows: docker run --name nifi -p 8443:8443 -e NIFI_WEB_PROXY_HOST=ec2... amazonaws.com -d apache/nifi:latest That will allow NiFi to accept the Host header from the browser, and then present the login screen. Regards, David Handermann On Tue, Nov 8, 2022 at 6:06 PM James McMahon <jsmcmah...@gmail.com> wrote: > Hi David. This is very helpful, thank you. I feel like I am close, but I > get an error. My Inbound Rules for my security group now include: > 8443 TCP (MyIP)/32 > 443 TCP (MyIP)/32 > 22 TCP (MyIP)/32 > > In my browser - I tried both Edge and Chrome - I use this > URL: > https://ec2-3-238-27-230.compute-1.amazonaws.com:8443 > I have also tried with /nifi at the tail end. > > I get this error: > > *System Error* > > *The request contained an invalid host header > [ec2-3-238-27-220.compute-1.amazonaws.com:8443 > <http://ec2-3-238-27-220.compute-1.amazonaws.com:8443/>] in the request > [/]. Check for request manipulation or third-party intercept.* > > *Valid host headers are [empty] or:* > > - *127.0.0.1* > - *127.0.0.1:8443 <http://127.0.0.1:8443/>* > - *localhost* > - *localhost:8443* > - *[::1]* > - *[::1]:8443* > - *7f661ae687d7* > - *7f661ae687d7:8443* > - *172.17.0.2* > - *172.17.0.2:8443 <http://172.17.0.2:8443/>* > > > Does this mean I have formed the URL incorrectly? > > I also see that I had to add an exception to permit https. When I created > the instance, I created my own pem key pair. It is not signed by any CA. > For a self-signed key pair like this, do I need to install a key in my > browser security store to avoid adding that exception? > > Thank you for helping me get that much closer. > Jim > > On Tue, Nov 8, 2022 at 5:13 PM David Handermann < > exceptionfact...@apache.org> wrote: > >> Hi Jim, >> >> Thanks for the reply and additional background. >> >> The instructions are dated March 2021, which is prior to the release of >> NiFi 1.14.0. In particular, the run command is no longer accurate with the >> default NiFi container image. >> >> The current Docker Hub instructions [1] show the basic command needed >> >> docker run --name nifi -p 8443:8443 -d apache/nifi:latest >> >> In addition, any references to port 8080 in the AWS Security Group rules >> should be changed to 8443. The security group rules for port 80 and 18080 >> should be removed. >> >> The instructions that allow plain HTTP access to NiFi on port 8080 should >> NEVER be followed, as this exposes unfiltered and unauthenticated access. >> >> Following those changes, it should be possible to access the NiFi UI >> using the AWS URL: >> >> https://ec2...amazonaws.com:8443 >> >> The default installation will generate a username and password, which can >> be found in the container logs: >> >> docker logs nifi | grep Generated >> >> Regards, >> David Handermann >> >> [1] https://hub.docker.com/r/apache/nifi >> >> On Tue, Nov 8, 2022 at 4:00 PM James McMahon <jsmcmah...@gmail.com> >> wrote: >> >>> Hi and thank you, David and Dmitry. In my case I was following this >>> example, >>> >>> https://joeygoksu.com/software/apache-nifi-on-aws/ >>> >>> which results in NiFi installed within a container. So to answer one of >>> your questions, I don’t yet know how or where to find nifi.properties in >>> the container framework. I don’t seem to have the usual /opt/nifi/….. >>> directories on my ec2 instance. Any idea where I need to look for that? >>> >>> These ports are open by my security group Inbound Rules: 22 to MyIP, 80, >>> 8080, and 18080 (per the link) to 0.0.0.0/0, 443 to MyIP. >>> >>> I am able to Putty into my instance as ec2-user with my ppk file, which >>> I created using putty tools from the original pem key pair. When I do putty >>> in, under /opt I find three subdirectories: aws, containerd, and rh. >>> Nothing nifi under any of the three that I can see so far. >>> >>> I start my docker instance with this command: >>> docker run —name nifi -p 18080:8080 -d apache/nifi:latest >>> >>> I can do a ps -ef and see running nifi processes. But I don’t yet know >>> how to get to the nifi logs or properties file. >>> >>> You mentioned using using localhost to get to the canvas UI. This >>> confuses me. Nifi is running on my EC2 instance - a linux host without a >>> browser. I’m in a browser on my laptop. How would localhost in my browser >>> get me to my EC2 instance running nifi? >>> >>> This is the URL I’m using in my browser: >>> http://ec2-3-238-27-220.compute-1.amazonaws.com >>> (that url changes with each Stop/Start of my instance. I’ve yet to >>> investigate how to get AWS to stop changing that IP, but I know it can be >>> done). >>> >>> The browser replies with: ec2…….amazonaws refused to connect. >>> >>> I can ping my laptop IP address from the putty terminal where I am >>> logged in to my instance. I cannot ping the Public DNS of my instance from >>> Powershell on my laptop. Again, that Public DNS is >>> ec2-3-238-27-220.compute-1.amazonaws.com >>> >>> Any help is much appreciated. >>> Jim >>> >>> >>> >>> On Tue, Nov 8, 2022 at 3:03 PM David Handermann < >>> exceptionfact...@apache.org> wrote: >>> >>>> Hi Jim, >>>> >>>> NiFi 1.14.0 and following default to HTTPS on port 8443, listening on >>>> the localhost address. The nifi.web.https.host can be changed to blank in >>>> order to listen on all interfaces, but the default HTTPS setting with >>>> authenticated required should be retained. >>>> >>>> Can you provide the version of NiFi and some additional details on the >>>> nifi.web values from nifi.properties? >>>> >>>> Regards, >>>> David Handermann >>>> >>>> On Tue, Nov 8, 2022 at 1:54 PM James McMahon <jsmcmah...@gmail.com> >>>> wrote: >>>> >>>>> Has anyone successfully configured NiFi on AWS, and accessed it from a >>>>> browser on a Windows desktop? I’ve tried following a few links to do this. >>>>> I’ve verified that my instance security group allows access to 8080 via >>>>> its >>>>> inbound rules. I’ve putty’ed into the instance via ssh port 22 to verify >>>>> that there are no firewall restrictions. But still I get a message to the >>>>> effect that the server rejected the connection request. Can anyone >>>>> recommend a link that describes a success path for this? >>>>> Thanks in advance for your help. >>>>> Jim >>>>> >>>>
