Support Questions

Find answers, ask questions, and share your expertise

Apache Nifi 2.0 Dockerized running insecure on HTTP

avatar
Explorer

I'm currently trying to get Nifi running in docker in the insecure mode without tls enabled. The reason for this is I want to run Nifi with ssl termination upstream and not have to deal with the complications of having to manage truststores and keystores.

By default it seems that even configuring the environment variables for `nifi_web_http_port` and `nifi_web_http_host` will not remove the default configuration for the https port and host.

I've modified the start.sh script for the container to set the http_port and http_host to be the expected values and removing the default values for https_port and https_host. I've also set the configuration `nifi.remote.input.secure` to be false. Now on startup Nifi failing to load a Key Store at ./conf/keystore.p12. Even with tls seemingly disabled by the means I've found necessary from all other guides on the matter Nifi is still expecting a keystore?

Has anyone had success with running nifi 2.0 insecure in docker?

6 REPLIES 6

avatar
Explorer

So it turns out if you "unset" the following properties in the start.sh script like so,  you are able to run nifi without tls

nifi.security.keystore

nifi.seucrity.keystoreType

nifi.security.truststore

nifi.security.truststoreType

avatar

@anon12345 Just to clarify, presumably is this over and above your modifications to start.sh?

I can't find anywhere that says plain http is supported in 2.0, but I'm ready to give up trying to get https playing nice with traefik, so this whole complication is redundant anyway.

Here's what I've tried:-

❯ docker run --rm --name nifi \
-p 8080:8080 \
-e NIFI_WEB_HTTP_PORT=8080 \
-e NIFI_WEB_HTTP_HOST=0.0.0.0 \
-e NIFI_WEB_HTTPS_PORT= \
-e NIFI_WEB_HTTPS_HOST= \
-e NIFI_WEB_PROXY_HOST=localhost:8080 \
-e NIFI_CLUSTER_IS_NODE=false \
-e SINGLE_USER_CREDENTIALS_USERNAME=nifi \
-e SINGLE_USER_CREDENTIALS_PASSWORD=nifipassword \
-e NIFI_SECURITY_KEYSTORE= \
-e NIFI_SECURITY_KEYSTOREPASSWD= \
-e NIFI_SECURITY_KEYPASSWD= \
-e NIFI_SECURITY_TRUSTSTORE= \
-e NIFI_SECURITY_TRUSTSTOREPASSWD= apache/nifi:2.0

 HTTPS still enabled. 🙁

avatar
Explorer

I've found that you have to modify the start.sh script itself rather than relying on passed environment variables. By default it will apply the host name of the container to the https host unless you prevent it from doing so in the start.sh script. Which then takes precedent over any http configuration you've done.  I'd also try messing with `nifi.remote.input.secure` I'm uncertain if that is also required to be set to false

avatar

Thanks for getting back!

Sounds about right then, I'm guessing running http only is unsupported in that case.

Patching start.sh locally is a bit of a non starter here.. bit frustrating unless any of the nifi folks can weigh in @MattWho @SAMSAL to confirm https is the only way?

Cheers!

avatar
Explorer

If you're using the docker image it's just a matter of voluming in your customized version of the start.sh or copying it in at image build time. But I can understand not wanting to do that. It should be completely configurable with env variables. It seems like that's how it worked in nifi 1.X

avatar
Community Manager

@anon12345 Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @MattWho @SAMSAL  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.


Regards,

Diana Torres,
Community Moderator


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: