Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Dockerized Secure NiFi Instance

Solved Go to solution

Dockerized Secure NiFi Instance

Explorer

I have an EC2 instance running with the IPv4 Public IP 11.111.111.111. 

The first thing I tried was to get NiFi running.

 

 

docker run --name nifi-standalone\
  -p 8080:8080 \
  -d \
  apache/nifi:latest

 

 

 At 11.111.111.111.111:8080/nifi/ I can reach NiFi. Great.

 

Now I wanted to setup a secure NiFi instance.

Step 1: Create certificates with the toolkit.

 

 

./bin/tls-toolkit.sh standalone -n '11.111.111.111' -C 'CN=admin,OU=nifi' -B SuperSecretPassword -o './standalone'

 

 

 

Step 2: Move keystore.jks and truststore.jks into a specific folder (here /home/ec2-user/project/nifi-standalone/certs).

 

Scenario 1: set NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e NIFI_WEB_HTTPS_HOST=11.111.111.111 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

Note: I read the passwords for the keystore and truststore directly from the nifi.properties file that the toolkit creates.

 

Unfortunately the container shuts down because of

2019-12-18 20:18:29,400 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.io.IOException: Failed to bind to.../11.111.111.111:8443

 

Scenario 2: unset NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

 Now the jetty server starts:

2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer https://d592fc9f7974:8443/nifi

 

As I saw the host d592fc9f7974 looks unexpected. https://d592fc9f7974:8443/nifi is unavailable. Next attempt https://11.111.111.111:8443/nifi.

Result: 

System Error

The request contained an invalid host header [11.111.111.111:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.

Valid host headers are [empty] or:

  • 127.0.0.1
  • 127.0.0.1:8443
  • localhost
  • localhost:8443
  • [::1]
  • [::1]:8443
  • d592fc9f7974
  • d592fc9f7974:8443
  • 172.17.0.2
  • 172.17.0.2:8443

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Dockerized Secure NiFi Instance

Explorer

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest

View solution in original post

1 REPLY 1
Highlighted

Re: Dockerized Secure NiFi Instance

Explorer

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here