Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Dockerized Secure NiFi Instance

Labels:
avatar
author-rank maebert
Explorer

Created on ‎12-18-2019 12:42 PM - last edited on ‎12-18-2019 12:55 PM by Community Manager Community Manager

I have an EC2 instance running with the IPv4 Public IP 11.111.111.111. 

The first thing I tried was to get NiFi running.

 

 

docker run --name nifi-standalone\
  -p 8080:8080 \
  -d \
  apache/nifi:latest

 

 

 At 11.111.111.111.111:8080/nifi/ I can reach NiFi. Great.

 

Now I wanted to setup a secure NiFi instance.

Step 1: Create certificates with the toolkit.

 

 

./bin/tls-toolkit.sh standalone -n '11.111.111.111' -C 'CN=admin,OU=nifi' -B SuperSecretPassword -o './standalone'

 

 

 

Step 2: Move keystore.jks and truststore.jks into a specific folder (here /home/ec2-user/project/nifi-standalone/certs).

 

Scenario 1: set NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e NIFI_WEB_HTTPS_HOST=11.111.111.111 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

Note: I read the passwords for the keystore and truststore directly from the nifi.properties file that the toolkit creates.

 

Unfortunately the container shuts down because of

2019-12-18 20:18:29,400 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.io.IOException: Failed to bind to.../11.111.111.111:8443

 

Scenario 2: unset NIFI_WEB_HTTP_HOST 

I run the following docker command.

 

 

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8443:8443 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin,OU=nifi' \
  -d \
  apache/nifi:latest

 

 

 Now the jetty server starts:

2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer NiFi has started. The UI is available at the following URLs:
2019-12-18 20:34:23,104 INFO [main] org.apache.nifi.web.server.JettyServer https://d592fc9f7974:8443/nifi

 

As I saw the host d592fc9f7974 looks unexpected. https://d592fc9f7974:8443/nifi is unavailable. Next attempt https://11.111.111.111:8443/nifi.

Result: 

System Error

The request contained an invalid host header [11.111.111.111:8443] in the request [/nifi]. Check for request manipulation or third-party intercept.

Valid host headers are [empty] or:

  • 127.0.0.1
  • 127.0.0.1:8443
  • localhost
  • localhost:8443
  • [::1]
  • [::1]:8443
  • d592fc9f7974
  • d592fc9f7974:8443
  • 172.17.0.2
  • 172.17.0.2:8443

5,997 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank maebert
Explorer

Created ‎12-19-2019 01:40 AM

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest

View solution in original post

5,969 Views
0 Kudos
1 REPLY 1

avatar
author-rank maebert
Explorer

Created ‎12-19-2019 01:40 AM

Solution:

docker run --name nifi-ssl \
  -v /home/ec2-user/project/nifi-standalone/certs:/opt/certs \
  -v /home/ec2-user/project/nifi-standalone/conf:/opt/conf \
  -p 8080:8443 \
  -e NIFI_WEB_PROXY_HOST=11.111.111.111:8080 \
  -e AUTH=tls \
  -e KEYSTORE_PATH=/opt/certs/keystore.jks \
  -e KEYSTORE_TYPE=JKS \
  -e KEYSTORE_PASSWORD=passwordFROMnifi.properties  \
  -e TRUSTSTORE_PATH=/opt/certs/truststore.jks \
  -e TRUSTSTORE_PASSWORD=passwordFROMnifi.properties \
  -e TRUSTSTORE_TYPE=JKS \
  -e INITIAL_ADMIN_IDENTITY='CN=admin, OU=nifi' \
  -d \
  apache/nifi:latest
5,970 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements