Created 11-25-2024 08:08 AM
I'm currently trying to get Nifi running in docker in the insecure mode without tls enabled. The reason for this is I want to run Nifi with ssl termination upstream and not have to deal with the complications of having to manage truststores and keystores.
By default it seems that even configuring the environment variables for `nifi_web_http_port` and `nifi_web_http_host` will not remove the default configuration for the https port and host.
I've modified the start.sh script for the container to set the http_port and http_host to be the expected values and removing the default values for https_port and https_host. I've also set the configuration `nifi.remote.input.secure` to be false. Now on startup Nifi failing to load a Key Store at ./conf/keystore.p12. Even with tls seemingly disabled by the means I've found necessary from all other guides on the matter Nifi is still expecting a keystore?
Has anyone had success with running nifi 2.0 insecure in docker?
Created on 11-25-2024 01:55 PM - edited 11-25-2024 01:56 PM
So it turns out if you "unset" the following properties in the start.sh script like so, you are able to run nifi without tls
nifi.security.keystore
nifi.seucrity.keystoreType
nifi.security.truststore
nifi.security.truststoreType
Created 12-23-2024 01:35 AM
@anon12345 Just to clarify, presumably is this over and above your modifications to start.sh?
I can't find anywhere that says plain http is supported in 2.0, but I'm ready to give up trying to get https playing nice with traefik, so this whole complication is redundant anyway.
Here's what I've tried:-
❯ docker run --rm --name nifi \
-p 8080:8080 \
-e NIFI_WEB_HTTP_PORT=8080 \
-e NIFI_WEB_HTTP_HOST=0.0.0.0 \
-e NIFI_WEB_HTTPS_PORT= \
-e NIFI_WEB_HTTPS_HOST= \
-e NIFI_WEB_PROXY_HOST=localhost:8080 \
-e NIFI_CLUSTER_IS_NODE=false \
-e SINGLE_USER_CREDENTIALS_USERNAME=nifi \
-e SINGLE_USER_CREDENTIALS_PASSWORD=nifipassword \
-e NIFI_SECURITY_KEYSTORE= \
-e NIFI_SECURITY_KEYSTOREPASSWD= \
-e NIFI_SECURITY_KEYPASSWD= \
-e NIFI_SECURITY_TRUSTSTORE= \
-e NIFI_SECURITY_TRUSTSTOREPASSWD= apache/nifi:2.0
HTTPS still enabled. 🙁
Created 12-23-2024 07:33 AM
I've found that you have to modify the start.sh script itself rather than relying on passed environment variables. By default it will apply the host name of the container to the https host unless you prevent it from doing so in the start.sh script. Which then takes precedent over any http configuration you've done. I'd also try messing with `nifi.remote.input.secure` I'm uncertain if that is also required to be set to false
Created 12-27-2024 01:21 AM
Created 12-27-2024 10:27 AM
If you're using the docker image it's just a matter of voluming in your customized version of the start.sh or copying it in at image build time. But I can understand not wanting to do that. It should be completely configurable with env variables. It seems like that's how it worked in nifi 1.X
Created 11-25-2024 02:48 PM
@anon12345 Welcome to the Cloudera Community!
To help you get the best possible solution, I have tagged our NiFi experts @MattWho @SAMSAL who may be able to assist you further.
Please keep us updated on your post, and we hope you find a satisfactory solution to your query.
Regards,
Diana Torres,