Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Running Apache NiFi behind a proxy

Labels (1)
Labels:
avatar
author-rank mgilman author-rank
Rising Star

Created on ‎07-19-2017 01:45 PM

When running Apache NiFi behind a proxy there are a couple of key items to follow during deployment.

1) NiFi is comprised of a number of web applications (web ui, web api, documentation, custom ui's, data viewers, etc). So the mapping needs to be configured for the root path. That way all context paths are passed through accordingly. For instance, if only the /nifi context path was mapped, the custom ui for UpdateAttribute will not work since it's available at /update-attribute-ui-<version>.

2) NiFi's REST API will generate URI's for each component on the graph. Since requests are coming through a proxy, certain elements of the URI's being generated need to be overridden. Without overriding the users will be able to view the dataflow on the canvas but will be unable to in modify existing components. Requests will be attempting to call back directly to NiFi, not through the proxy. The elements of the URI can be overridden by adding the following HTTP headers when the proxy generates the HTTP request to the NiFi instance:

  • X-ProxyScheme - the scheme to use to connect to the proxy
  • X-ProxyHost - the host of the proxy
  • X-ProxyPort - the port the proxy is listening on
  • X-ProxyContextPath - the path configured to map to the NiFi instance

3) If NiFi is running securely, any proxy needs to be authorized to proxy user requests. These can be configured in the NiFi UI through the Global Menu. Once these permissions are in place proxies can begin proxying user request. The end user identity must be relayed in a HTTP header. For example, if the end user sent a request to the proxy, the proxy must authenticate the user. Following this the proxy can send the request to NiFi. In this request an HTTP header should be added as follows. 

X-ProxiedEntitiesChain: <end-user>

If the proxy is configured to send to another proxy, the request to NiFi from the second proxy should contain a header as follows. 

X-ProxiedEntitiesChain: <end-user-identity><proxy-1-identity>
7,293 Views
Comments

Re: Running Apache NiFi behind a proxy

avatar
author-rank daniel_kenshalo
Explorer

Created on ‎10-27-2017 09:08 PM

I'm not sure if this helps but, below is a sample nginx configuration that worked for me. I didn't need the X-ProxyContextPath but t, my requests are still context root of "/nifi". I suspect I'd need the X-ProxyContextPath if my requests were something like, <my-site>/nifi

location /nifi {
            proxy_pass http://<nifi-ip/dns-name>:<nifi-port>/nifi;
            proxy_set_header 'X-ProxyScheme' 'http'; #
            proxy_set_header 'X-ProxyHost' '<external-proxy-ip>';
            proxy_set_header 'X-ProxyPort' '<proxy-ip>';
        }
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
Version history
Last update:
‎07-19-2017 01:45 PM
Updated by:
Rising Star Rising Star
Contributors