Support Questions

Find answers, ask questions, and share your expertise

Dockerized Secure NiFi Instance

avatar
Explorer

I have an EC2 instance running with the IPv4 Public IP 11.111.111.111. 

The first thing I tried was to get NiFi running.

 

 

docker run --name nifi-standalone\
  -p 8080:8080 \
  -d \
  apache/nifi:latest

 

 

 At 11.111.111.111.111:8080/nifi/ I can reach NiFi. Great.

 

Now I wanted to setup a secure NiFi instance.

Step 1: Create certificates with the toolkit.

 

 

./bin/tls-toolkit.sh standalone -n '11.111.111.111' -C 'CN=admin,OU=nifi' -B SuperSecretPassword -o './standalone'

 

 

 

Step 2: Move keystore.jks and truststore.jks into a specific folder (here /home/ec2-user/project/nifi-standalone/certs).

 

Scenario 1: set NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e NIFI_WEB_HTTPS_HOST=11.111.111.111 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

Note: I read the passwords for the keystore and truststore directly from the nifi.properties file that the toolkit creates.

 

Unfortunately the container shuts down because of

2019-12-18 20:18:29,400 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.io.IOException: Failed to bind to.../11.111.111.111:8443

 

Scenario 2: unset NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

 Now the jetty server starts:

2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer https://d592fc9f7974:8443/nifi

 

As I saw the host d592fc9f7974 looks unexpected. https://d592fc9f7974:8443/nifi is unavailable. Next attempt https://11.111.111.111:8443/nifi.

Result: 

System Error

The request contained an invalid host header [11.111.111.111:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.

Valid host headers are [empty] or:

  • 127.0.0.1
  • 127.0.0.1:8443
  • localhost
  • localhost:8443
  • [::1]
  • [::1]:8443
  • d592fc9f7974
  • d592fc9f7974:8443
  • 172.17.0.2
  • 172.17.0.2:8443

1 ACCEPTED SOLUTION

avatar
Explorer

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest

View solution in original post

1 REPLY 1

avatar
Explorer

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest