question Re: Apache Nifi 2.0 Dockerized running insecure on HTTP in Support Questions

Apache Nifi 2.0 Dockerized running insecure on HTTP

anon12345 — Mon, 25 Nov 2024 16:08:53 GMT

I'm currently trying to get Nifi running in docker in the insecure mode without tls enabled. The reason for this is I want to run Nifi with ssl termination upstream and not have to deal with the complications of having to manage truststores and keystores.

By default it seems that even configuring the environment variables for `nifi_web_http_port` and `nifi_web_http_host` will not remove the default configuration for the https port and host.

I've modified the start.sh script for the container to set the http_port and http_host to be the expected values and removing the default values for https_port and https_host. I've also set the configuration `nifi.remote.input.secure` to be false. Now on startup Nifi failing to load a Key Store at ./conf/keystore.p12. Even with tls seemingly disabled by the means I've found necessary from all other guides on the matter Nifi is still expecting a keystore?

Has anyone had success with running nifi 2.0 insecure in docker?

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

anon12345 — Mon, 25 Nov 2024 21:56:14 GMT

So it turns out if you "unset" the following properties in the start.sh script like so, you are able to run nifi without tls

nifi.security.keystore

nifi.seucrity.keystoreType

nifi.security.truststore

nifi.security.truststoreType

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

DianaTorres — Mon, 25 Nov 2024 22:48:47 GMT

@anon12345 Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @SAMSAL who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

gavingilmour — Mon, 23 Dec 2024 09:35:03 GMT

@anon12345 Just to clarify, presumably is this over and above your modifications to start.sh?

I can't find anywhere that says plain http is supported in 2.0, but I'm ready to give up trying to get https playing nice with traefik, so this whole complication is redundant anyway.

Here's what I've tried:-

❯ docker run --rm --name nifi \
-p 8080:8080 \
-e NIFI_WEB_HTTP_PORT=8080 \
-e NIFI_WEB_HTTP_HOST=0.0.0.0 \
-e NIFI_WEB_HTTPS_PORT= \
-e NIFI_WEB_HTTPS_HOST= \ 
-e NIFI_WEB_PROXY_HOST=localhost:8080 \
-e NIFI_CLUSTER_IS_NODE=false \
-e SINGLE_USER_CREDENTIALS_USERNAME=nifi \
-e SINGLE_USER_CREDENTIALS_PASSWORD=nifipassword \
-e NIFI_SECURITY_KEYSTORE= \
-e NIFI_SECURITY_KEYSTOREPASSWD= \
-e NIFI_SECURITY_KEYPASSWD= \
-e NIFI_SECURITY_TRUSTSTORE= \
-e NIFI_SECURITY_TRUSTSTOREPASSWD= apache/nifi:2.0

HTTPS still enabled. 🙁

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

anon12345 — Mon, 23 Dec 2024 15:33:23 GMT

I've found that you have to modify the start.sh script itself rather than relying on passed environment variables. By default it will apply the host name of the container to the https host unless you prevent it from doing so in the start.sh script. Which then takes precedent over any http configuration you've done. I'd also try messing with `nifi.remote.input.secure` I'm uncertain if that is also required to be set to false

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

gavingilmour — Fri, 27 Dec 2024 09:21:47 GMT

Thanks for getting back!

Sounds about right then, I'm guessing running http only is unsupported in that case.

Patching start.sh locally is a bit of a non starter here.. bit frustrating unless any of the nifi folks can weigh in @MattWho @SAMSAL to confirm https is the only way?

Cheers!

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

anon12345 — Fri, 27 Dec 2024 18:27:07 GMT

If you're using the docker image it's just a matter of voluming in your customized version of the start.sh or copying it in at image build time. But I can understand not wanting to do that. It should be completely configurable with env variables. It seems like that's how it worked in nifi 1.X

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

Tiger_Name — Wed, 22 Jan 2025 15:03:06 GMT

Hi @anon12345 ,

Where you able to disable HTTPS secure connection , without the need for modifying docker image ...?

If you were able to do , please do brief on the steps ..
Facing the same issue on M4 Version of Nifi .

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

MattWho — Wed, 22 Jan 2025 16:42:20 GMT

@anon12345

Yes, you need to unset the keystore and truststore properties because NiFi will still attempt to load them even if HTTPS properties are unset. This is by design because NiFi can act as a client and as a client it may attempt to connect to secured endpoints where NiFi would use this keystore and trustore. So ay property configured in nifi.properties will be loaded, so they need to be unset or have valid values set.

For example:
NiFi's Site-To-Site capability. A unsecure NiFi configured with a valid keystore and truststore can have a Remote Process Group configured to connect to a Remote port on another secured NiFi.

Please help our community thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

Re: Apache Nifi 2.0 Dockerized running insecure on HTTP

Alf015 — Fri, 31 Jan 2025 12:42:25 GMT

Based on the initial input in the question, slightly adapted
the following seems to work for me (1.27.0)

docker run --rm --name nifi -p 8080:8080 \
-e NIFI_WEB_HTTP_PORT=8080 \
-e NIFI_WEB_HTTPS_PORT= \
-e NIFI_WEB_HTTPS_HOST= \
-e NIFI_SECURITY_KEYSTORE= \
-e NIFI_SECURITY_KEYSTOREPASSWD= \
-e NIFI_SECURITY_KEYPASSWD= \
-e NIFI_SECURITY_TRUSTSTORE= \
-e NIFI_SECURITY_TRUSTSTOREPASSWD= \
apache/nifi:1.27.0

---

--- from container

nifi@xxxxxxxxxxxx:/opt/nifi/nifi-toolkit-current/bin$ ./cli.sh
_ ___ _
Apache (_) .' ..](_) ,
_ .--. __ _| |_ __ )\
[ `.-. | [ |'-| |-'[ | / \
| | | | | | | | | | ' '
[___||__][___][___] [___]', ,'
`'
CLI v1.27.0

Type 'help' to see a list of available commands, use tab to auto-complete.

Session loaded from /home/nifi/.nifi-cli.config

#> nifi get-root-id

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx