question HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker in Support Questions

HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker

Ghilani — Wed, 13 Mar 2024 04:11:22 GMT

I have set up Apache NiFi in a Docker container and am using Nginx as a reverse proxy to handle SSL termination. However, when I try to access the NiFi UI through the custom domain configured in Nginx, I receive an "HTTP ERROR 400 Invalid SNI" message.

Below is my Docker Compose configuration:

version: '3' services: nifi: build: context: . dockerfile: Dockerfile ports: - "8443:8443" volumes: - nifi-data:/opt/nifi/nifi-current nginx: image: nginx:latest volumes: - ./nginx.conf:/etc/nginx/nginx.conf - ./sslcert:/etc/nginx/sslcert ports: - "80:80" - "443:443" depends_on: - nifi volumes: nifi-data:

And here is the relevant part of my nginx.conf:

events {} http { server { listen 80; server_name nifi.xxx-xxx-python-mps; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name nifi.xxx-xxx-python-mps; ssl_certificate /etc/nginx/sslcert/nifi.xxx-xxx-python-mps.pem; ssl_certificate_key /etc/nginx/sslcert/nifi.xxx-xxx-python-mps-key.pem; location / { proxy_pass https://nifi:8443; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; } } }

The SSL certificate is self-signed and generated specifically for the domain nifi.my-custom-domain. When accessing the NiFi UI, I encounter the following error:

HTTP ERROR 400 Invalid SNI URI: https://nifi.iyed-netze-python-mps/nifi/ STATUS: 400 MESSAGE: Invalid SNI CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI Caused by: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI at org.eclipse.jetty.server.SecureRequestCustomizer.checkSni(SecureRequestCustomizer.java:229) at org.eclipse.jetty.server.SecureRequestCustomizer.newSecureRequest(SecureRequestCustomizer.java:208) at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:197) at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:587) at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:424) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99) at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:971) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1201) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1156) at java.base/java.lang.Thread.run(Thread.java:1583)

What might be causing the "Invalid SNI" error in this setup? How can I troubleshoot this issue further? PS: I have added the custom domain to etc/hosts, and it works for routing to localhost

Re: HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker

marcelo225 — Thu, 06 Feb 2025 11:31:45 GMT

Hi!
I didn't use nginx as reverse proxy, but you need create your certificates using nifi-toolkit like this:

tls-toolkit.sh standalone -n "localhost" --clientCertDn "CN=localhost, OU=NIFI" --subjectAlternativeNames 'nifi' --keyStorePassword changeit --trustStorePassword changeit -o nifi/certs -O

--hostnames Param -> You can access by browser typing http://localhost:8443/nifi as external address;
--subjectAlternativeNames -> Comma-separated list of domains to use as Subject Alternative Names in the certificate. In your case, including "nifi". Any docker containers can access nifi using "https://nifi:8443/" as internal address.

just to reinforce, include "hostname: nifi" in your docker-compose.yml file.

I hope it helps you!

Re: HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker

MattWho — Thu, 06 Feb 2025 13:30:37 GMT

@Ghilani

The Invalid SNI is caused by the server certificate presented in the TLS exchange not containing a SubjectAlternativeName (SAN) matching the hostname in the request URL.

Valid SAN entries are required by the latest version of Java.

The solution is to issue new certificates for your NiFi instance(s) that contain all possible SANs used when connecting to the NiFi.

So you should have a SAN entry for you NiFi hostname as well as any alternative names used in connection URLs like "nifi" coming form your proxy to NiFi.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt