Nifi on docker behind nginx processor configure not opening
Nifi on docker behind nginx processor configure not opening
按照指南(https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/)设置 nginx 基本身份验证,但是我没有为 nifi-registry 设置代理,而是为 nifi 设置了它。 Auth 正在工作并且页面可以访问,但处理器配置 window 不知何故无法打开。这个问题是由于 nginx 造成的,因为通过 HTTP 暴露的端口直接访问 nifi 是有效的,只是不在 nginx 代理之后。
以下是我使用的配置:
server {
listen 9988 ssl;
root /usr/share/nginx/html;
index index.html;
server_name _;
ssl_certificate /etc/nginx/server_cert.pem;
ssl_certificate_key /etc/nginx/server_key.pem;
ssl_client_certificate /etc/nginx/client_cert.pem;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
# -!MEDIUM:exclude encryption cipher suites using 128 bit encryption.
# -!LOW: exclude encryption cipher suites using 64 or 56 bit encryption algorithms
# -!EXPORT: exclude export encryption algorithms including 40 and 56 bits algorithms.
# -!aNULL: exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
# These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
# -!eNULL:exclude the "NULL" ciphers that is those offering no encryption.
# Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
# @STRENGTH:sort the current cipher list in order of encryption algorithm key length.
location / {
if ($ssl_client_verify = SUCCESS) {
set $auth_basic off;
}
if ($ssl_client_verify != SUCCESS) {
set $auth_basic "Restricted Content. Please provide Nifi Authentication:";
}
auth_basic $auth_basic;
auth_basic_user_file /etc/nginx/nginx.htpasswd;
proxy_pass http://172.18.0.77:8181/; # actual container ip/port of nifi
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header Authorization "";
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $hostname;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-ProxyContextPath "/";
}
}
我尝试为 X-ProxyHost 传递 nifi/host/nginx 的容器 ip,但它没有立即给出“无法与 nifi 通信”,而是旋转了一段时间并最终给出了相同的错误。这里需要修改什么?任何帮助将不胜感激。
这里是 nginx 菜鸟!
在多次摆弄多个 ip/hostname 组合之后,我能够通过以下配置更改来修复它。
必须将 nifi env 属性添加到 docker-compose:
environment:
- NIFI_REMOTE_INPUT_HOST=<private ip of nifi container e.g. 172.18.0.77>
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_HOST=<private ip of nifi container>
- NIFI_WEB_HTTP_PORT=8181
对于 nginx 配置:将 proxy_set_header 修改为“localhost”(因为 nginx 服务器需要将 proxyHost 定义为环回服务器):
proxy_set_header X-ProxyHost localhost;
希望这能帮助那些在同一条船上摸不着头脑的人:)
按照指南(https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/)设置 nginx 基本身份验证,但是我没有为 nifi-registry 设置代理,而是为 nifi 设置了它。 Auth 正在工作并且页面可以访问,但处理器配置 window 不知何故无法打开。这个问题是由于 nginx 造成的,因为通过 HTTP 暴露的端口直接访问 nifi 是有效的,只是不在 nginx 代理之后。
以下是我使用的配置:
server {
listen 9988 ssl;
root /usr/share/nginx/html;
index index.html;
server_name _;
ssl_certificate /etc/nginx/server_cert.pem;
ssl_certificate_key /etc/nginx/server_key.pem;
ssl_client_certificate /etc/nginx/client_cert.pem;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
# -!MEDIUM:exclude encryption cipher suites using 128 bit encryption.
# -!LOW: exclude encryption cipher suites using 64 or 56 bit encryption algorithms
# -!EXPORT: exclude export encryption algorithms including 40 and 56 bits algorithms.
# -!aNULL: exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
# These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
# -!eNULL:exclude the "NULL" ciphers that is those offering no encryption.
# Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
# @STRENGTH:sort the current cipher list in order of encryption algorithm key length.
location / {
if ($ssl_client_verify = SUCCESS) {
set $auth_basic off;
}
if ($ssl_client_verify != SUCCESS) {
set $auth_basic "Restricted Content. Please provide Nifi Authentication:";
}
auth_basic $auth_basic;
auth_basic_user_file /etc/nginx/nginx.htpasswd;
proxy_pass http://172.18.0.77:8181/; # actual container ip/port of nifi
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header Authorization "";
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $hostname;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-ProxyContextPath "/";
}
}
我尝试为 X-ProxyHost 传递 nifi/host/nginx 的容器 ip,但它没有立即给出“无法与 nifi 通信”,而是旋转了一段时间并最终给出了相同的错误。这里需要修改什么?任何帮助将不胜感激。
这里是 nginx 菜鸟! 在多次摆弄多个 ip/hostname 组合之后,我能够通过以下配置更改来修复它。 必须将 nifi env 属性添加到 docker-compose:
environment:
- NIFI_REMOTE_INPUT_HOST=<private ip of nifi container e.g. 172.18.0.77>
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_HOST=<private ip of nifi container>
- NIFI_WEB_HTTP_PORT=8181
对于 nginx 配置:将 proxy_set_header 修改为“localhost”(因为 nginx 服务器需要将 proxyHost 定义为环回服务器):
proxy_set_header X-ProxyHost localhost;
希望这能帮助那些在同一条船上摸不着头脑的人:)