Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker

Labels:
avatar
author-rank Ghilani
Contributor

Created ‎03-12-2024 09:11 PM

I have set up Apache NiFi in a Docker container and am using Nginx as a reverse proxy to handle SSL termination. However, when I try to access the NiFi UI through the custom domain configured in Nginx, I receive an "HTTP ERROR 400 Invalid SNI" message.

 
 

Ghilani_3-1710302809358.png

Below is my Docker Compose configuration:

 

version: '3'
services:
  nifi:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "8443:8443"
    volumes:
      - nifi-data:/opt/nifi/nifi-current

  nginx:
    image: nginx:latest
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./sslcert:/etc/nginx/sslcert
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - nifi

volumes:
  nifi-data:

 

And here is the relevant part of my nginx.conf:

 

 

 

events {}

http {
    server {
        listen 80;
        server_name nifi.xxx-xxx-python-mps;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name nifi.xxx-xxx-python-mps;

        ssl_certificate /etc/nginx/sslcert/nifi.xxx-xxx-python-mps.pem;
        ssl_certificate_key /etc/nginx/sslcert/nifi.xxx-xxx-python-mps-key.pem;


        location / {
            proxy_pass https://nifi:8443;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
        }
    }
}

 

The SSL certificate is self-signed and generated specifically for the domain nifi.my-custom-domain. When accessing the NiFi UI, I encounter the following error:

 

HTTP ERROR 400 Invalid SNI
URI:    https://nifi.iyed-netze-python-mps/nifi/
STATUS: 400
MESSAGE:    Invalid SNI
CAUSED BY:  org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
    at org.eclipse.jetty.server.SecureRequestCustomizer.checkSni(SecureRequestCustomizer.java:229)
    at org.eclipse.jetty.server.SecureRequestCustomizer.newSecureRequest(SecureRequestCustomizer.java:208)
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:197)
    at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:587)
    at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:424)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
    at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:971)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1201)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1156)
    at java.base/java.lang.Thread.run(Thread.java:1583)

 

What might be causing the "Invalid SNI" error in this setup? How can I troubleshoot this issue further? PS: I have added the custom domain to etc/hosts, and it works for routing to localhost

1,933 Views
0 Kudos
2 REPLIES 2

avatar
author-rank marcelo225
New Contributor

Created on ‎02-06-2025 03:26 AM - edited ‎02-06-2025 03:31 AM

Hi!
I didn't use nginx as reverse proxy, but you need create your certificates using nifi-toolkit like this:

 

 

tls-toolkit.sh standalone -n "localhost" --clientCertDn "CN=localhost, OU=NIFI" --subjectAlternativeNames 'nifi' --keyStorePassword changeit --trustStorePassword changeit -o nifi/certs -O

 

 

--hostnames Param -> You can access by browser typing http://localhost:8443/nifi as external address;
--subjectAlternativeNames -> Comma-separated list of domains to use as Subject Alternative Names in the certificate. In your case, including "nifi". Any docker containers can access nifi using "https://nifi:8443/" as internal address.

just to reinforce, include "hostname: nifi" in your docker-compose.yml file.

I hope it helps you!

183 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-06-2025 05:30 AM

@Ghilani 

The Invalid SNI is caused by the server certificate presented in the TLS exchange not containing a SubjectAlternativeName (SAN) matching the hostname in the request URL.

Valid SAN entries are required by the latest version of Java.

The solution is to issue new certificates for your NiFi instance(s) that contain all possible SANs used when connecting to the NiFi.

So you should have a SAN entry for you NiFi hostname as well as any alternative names used in connection URLs like "nifi" coming form your proxy to NiFi.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

169 Views
0 Kudos
Announcements
Product Announcements
Introducing Cloudera 7.3.1: Unified Runtime, Modernized Vers...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
What's New @ Cloudera
Cloudera Operational Database supports assigning ODAdmin rol...
What's New @ Cloudera
Security-Enhanced Linux (SELinux) support in Cloudera Operat...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements