Dockerized Secure NiFi Instance

maebert — Wed, 18 Dec 2019 20:55:16 GMT

I have an EC2 instance running with the IPv4 Public IP 11.111.111.111.

The first thing I tried was to get NiFi running.

docker run --name nifi-standalone\ -p 8080:8080 \ -d \ apache/nifi:latest

At 11.111.111.111.111:8080/nifi/ I can reach NiFi. Great.

Now I wanted to setup a secure NiFi instance.

Step 1: Create certificates with the toolkit.

./bin/tls-toolkit.sh standalone -n '11.111.111.111' -C 'CN=admin,OU=nifi' -B SuperSecretPassword -o './standalone'

Step 2: Move keystore.jks and truststore.jks into a specific folder (here /home/ec2-user/project/nifi-standalone/certs).

Scenario 1: set NIFI_WEB_HTTP_HOST

I run the following docker command.

docker run --name nifi-ssl \ -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \ -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \ -p 8443:8443 \ -e NIFI_WEB_HTTPS_HOST=11.111.111.111 \ -e AUTH=tls \ -e KEYSTORE_PATH=/opt/certs/keystore.jks \ -e KEYSTORE_TYPE=JKS \ -e KEYSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_TYPE=JKS \ -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \ -d \ apache/nifi:latest

Note: I read the passwords for the keystore and truststore directly from the nifi.properties file that the toolkit creates.

Unfortunately the container shuts down because of

2019-12-18 20:18:29,400 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.io.IOException: Failed to bind to.../11.111.111.111:8443

Scenario 2: unset NIFI_WEB_HTTP_HOST

I run the following docker command.

docker run --name nifi-ssl \ -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \ -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \ -p 8443:8443 \ -e AUTH=tls \ -e KEYSTORE_PATH=/opt/certs/keystore.jks \ -e KEYSTORE_TYPE=JKS \ -e KEYSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_TYPE=JKS \ -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \ -d \ apache/nifi:latest

Now the jetty server starts:

2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer https://d592fc9f7974:8443/nifi

As I saw the host d592fc9f7974 looks unexpected. https://d592fc9f7974:8443/nifi is unavailable. Next attempt https://11.111.111.111:8443/nifi.

Result:

System Error

The request contained an invalid host header [11.111.111.111:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.

Valid host headers are [empty] or:

127.0.0.1
127.0.0.1:8443
localhost
localhost:8443
[::1]
[::1]:8443
d592fc9f7974
d592fc9f7974:8443
172.17.0.2
172.17.0.2:8443

Re: Dockerized Secure NiFi Instance

maebert — Thu, 19 Dec 2019 09:40:43 GMT

Solution:

docker run --name nifi-ssl \ -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \ -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \ -p 8080:8443 \ -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \ -e AUTH=tls \ -e KEYSTORE_PATH=/opt/certs/keystore.jks \ -e KEYSTORE_TYPE=JKS \ -e KEYSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \ -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \ -e TRUSTSTORE_TYPE=JKS \ -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \ -d \ apache/nifi:latest

question Re: Dockerized Secure NiFi Instance in Support Questions

Dockerized Secure NiFi Instance

System Error

The request contained an invalid host header [11.111.111.111:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.

Re: Dockerized Secure NiFi Instance