Re: NiFi on AWS EC2

[Dmitry Stepanov]

Make sure you use your full domain name
ec2-3-238-27-220.compute-1.amazonaws.com
David shorten it in his code

On November 8, 2022 5:57:26 p.m. James McMahon <jsmcmah...@gmail.com> wrote:

Thank you, David. I’ve made that change, adding the proxy host specification on the docker command line. I continue to get the same error message. Is it possible I need to indicate my key on the docker command line too?

Related, how can one access nifi.properties and the usual nifi config files, as well as the family of nifi-app.log files and bootstrap.conf, when nifi is running inside a docker container?

Thanks again for sticking with this. I feel like we’re getting closer.
Jim

On Tue, Nov 8, 2022 at 7:31 PM David Handermann <exceptionfact...@apache.org> wrote:

Hi Jim,

Good adjustment on the security group inbound rules.

The error page is the result of NiFi receiving an unexpected HTTP Host header, not matching one of the expected values.

For this to work, it is possible to pass the external DNS name as the value of the NIFI_WEB_PROXY_HOST environment variable. This can be specified in the docker run command as follows:

docker run --name nifi -p 8443:8443 -e NIFI_WEB_PROXY_HOST=ec2...amazonaws.com -d apache/nifi:latest

That will allow NiFi to accept the Host header from the browser, and then present the login screen.

Regards,
David Handermann

On Tue, Nov 8, 2022 at 6:06 PM James McMahon <jsmcmah...@gmail.com> wrote:

Hi David. This is very helpful, thank you. I feel like I am close, but I get an error. My Inbound Rules for my security group now include:

8443 TCP (MyIP)/32
443 TCP (MyIP)/32
22 TCP (MyIP)/32

In my browser - I tried both Edge and Chrome - I use this
URL:
https://ec2-3-238-27-230.compute-1.amazonaws.com:8443
I have also tried with /nifi at the tail end.

I get this error:
System Error

The request contained an invalid host header [ec2-3-238-27-220.compute-1.amazonaws.com:8443] in the request [/]. Check for request manipulation or third-party intercept.

Valid host headers are [empty] or:
127.0.0.1
127.0.0.1:8443
localhost
localhost:8443
[::1]
[::1]:8443
7f661ae687d7
7f661ae687d7:8443
172.17.0.2
172.17.0.2:8443


Does this mean I have formed the URL incorrectly?

I also see that I had to add an exception to permit https. When I created the instance, I created my own pem key pair. It is not signed by any CA. For a self-signed key pair like this, do I need to install a key in my browser security store to avoid adding that exception?

Thank you for helping me get that much closer.
Jim

On Tue, Nov 8, 2022 at 5:13 PM David Handermann <exceptionfact...@apache.org> wrote:

Hi Jim,

Thanks for the reply and additional background.

The instructions are dated March 2021, which is prior to the release of NiFi 1.14.0. In particular, the run command is no longer accurate with the default NiFi container image.

The current Docker Hub instructions [1] show the basic command needed

docker run --name nifi -p 8443:8443 -d apache/nifi:latest

In addition, any references to port 8080 in the AWS Security Group rules should be changed to 8443. The security group rules for port 80 and 18080 should be removed.

The instructions that allow plain HTTP access to NiFi on port 8080 should NEVER be followed, as this exposes unfiltered and unauthenticated access.

Following those changes, it should be possible to access the NiFi UI using the AWS URL:

https://ec2...amazonaws.com:8443

The default installation will generate a username and password, which can be found in the container logs:

docker logs nifi | grep Generated

Regards,
David Handermann

[1] https://hub.docker.com/r/apache/nifi

On Tue, Nov 8, 2022 at 4:00 PM James McMahon <jsmcmah...@gmail.com> wrote:
Hi and thank you, David and Dmitry. In my case I was following this example,

https://joeygoksu.com/software/apache-nifi-on-aws/

which results in NiFi installed within a container. So to answer one of your questions, I don’t yet know how or where to find nifi.properties in the container framework. I don’t seem to have the usual /opt/nifi/….. directories on my ec2 instance. Any idea where I need to look for that?

These ports are open by my security group Inbound Rules: 22 to MyIP, 80, 8080, and 18080 (per the link) to 0.0.0.0/0, 443 to MyIP.

I am able to Putty into my instance as ec2-user with my ppk file, which I created using putty tools from the original pem key pair. When I do putty in, under /opt I find three subdirectories: aws, containerd, and rh. Nothing nifi under any of the three that I can see so far.

I start my docker instance with this command:
docker run —name nifi -p 18080:8080 -d apache/nifi:latest

I can do a ps -ef and see running nifi processes. But I don’t yet know how to get to the nifi logs or properties file.

You mentioned using using localhost to get to the canvas UI. This confuses me. Nifi is running on my EC2 instance - a linux host without a browser. I’m in a browser on my laptop. How would localhost in my browser get me to my EC2 instance running nifi?

This is the URL I’m using in my browser:
http://ec2-3-238-27-220.compute-1.amazonaws.com

(that url changes with each Stop/Start of my instance. I’ve yet to investigate how to get AWS to stop changing that IP, but I know it can be done).

The browser replies with: ec2…….amazonaws refused to connect.

I can ping my laptop IP address from the putty terminal where I am logged in to my instance. I cannot ping the Public DNS of my instance from Powershell on my laptop. Again, that Public DNS is ec2-3-238-27-220.compute-1.amazonaws.com

Any help is much appreciated.
Jim

On Tue, Nov 8, 2022 at 3:03 PM David Handermann <exceptionfact...@apache.org> wrote:

Hi Jim,

NiFi 1.14.0 and following default to HTTPS on port 8443, listening on the localhost address. The nifi.web.https.host can be changed to blank in order to listen on all interfaces, but the default HTTPS setting with authenticated required should be retained.

Can you provide the version of NiFi and some additional details on the nifi.web values from nifi.properties?

Regards,
David Handermann

On Tue, Nov 8, 2022 at 1:54 PM James McMahon <jsmcmah...@gmail.com> wrote:

Has anyone successfully configured NiFi on AWS, and accessed it from a browser on a Windows desktop? I’ve tried following a few links to do this. I’ve verified that my instance security group allows access to 8080 via its inbound rules. I’ve putty’ed into the instance via ssh port 22 to verify that there are no firewall restrictions. But still I get a message to the effect that the server rejected the connection request. Can anyone recommend a link that describes a success path for this?

Thanks in advance for your help.

Jim