是否可以使用具有用户身份验证但NGINX上具有SSL终止功能的NiFi。我在端口443上运行NGINX,并在端口8080传递给nifi的proxy_pass。我玩了以下标头:
X-ProxyScheme - the scheme to use to connect to the proxy
X-ProxyHost - the host of the proxy
X-ProxyPort - the port the proxy is listening on
X-ProxyContextPath - the path configured to map to the NiFi instance
但是让NiFi识别代理后面的https连接似乎是不可能的。我更新了身份验证配置,但NiFi仍然会引发错误:
IllegalStateException: User authentication/authorization is only supported when running over HTTPS.. Returning Conflict response.
java.lang.IllegalStateException: User authentication/authorization is only supported when running over HTTPS
相对于nifi,基本上是https到nginx,而不是http端口。
答案 0 :(得分:0)
我不熟悉NiFi,但是在具有nginx的RHEL上,以下内容为我提供了一个反向代理,该反向代理具有以nginx终止的HTTPS连接,以及带有/ abc_end_point的前进HTTP连接。也许您可以将其用作模板?
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/tls/certs/abc.com.crt";
ssl_certificate_key "/etc/pki/tls/private/abc.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
location /abc_end_point {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:9090/abc_end_point;
}
}
答案 1 :(得分:0)
您正尝试通过反向代理(nginx)上的SSL卸载设置Nifi-不支持这种设置。 参见:http://apache-nifi-users-list.2361937.n4.nabble.com/Nifi-and-SSL-offloading-td7790.html#a7799
我建议在反向代理和Nifi之间也使用TLS(HTTPS)。