Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HTTP ERROR 400 Invalid SNI When Accessing NiFi Through Nginx Reverse Proxy in Docker

avatar
Contributor

I have set up Apache NiFi in a Docker container and am using Nginx as a reverse proxy to handle SSL termination. However, when I try to access the NiFi UI through the custom domain configured in Nginx, I receive an "HTTP ERROR 400 Invalid SNI" message.

 
 

Ghilani_3-1710302809358.png

Below is my Docker Compose configuration:

 

version: '3'
services:
  nifi:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "8443:8443"
    volumes:
      - nifi-data:/opt/nifi/nifi-current

  nginx:
    image: nginx:latest
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./sslcert:/etc/nginx/sslcert
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - nifi

volumes:
  nifi-data:

 

And here is the relevant part of my nginx.conf:

 

 

 

events {}

http {
    server {
        listen 80;
        server_name nifi.xxx-xxx-python-mps;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name nifi.xxx-xxx-python-mps;

        ssl_certificate /etc/nginx/sslcert/nifi.xxx-xxx-python-mps.pem;
        ssl_certificate_key /etc/nginx/sslcert/nifi.xxx-xxx-python-mps-key.pem;


        location / {
            proxy_pass https://nifi:8443;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
        }
    }
}

 

The SSL certificate is self-signed and generated specifically for the domain nifi.my-custom-domain. When accessing the NiFi UI, I encounter the following error:

 

HTTP ERROR 400 Invalid SNI
URI:    https://nifi.iyed-netze-python-mps/nifi/
STATUS: 400
MESSAGE:    Invalid SNI
CAUSED BY:  org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI
    at org.eclipse.jetty.server.SecureRequestCustomizer.checkSni(SecureRequestCustomizer.java:229)
    at org.eclipse.jetty.server.SecureRequestCustomizer.newSecureRequest(SecureRequestCustomizer.java:208)
    at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:197)
    at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:587)
    at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:424)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
    at org.eclipse.jetty.io.ssl.SslConnection$1.run(SslConnection.java:136)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:971)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1201)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1156)
    at java.base/java.lang.Thread.run(Thread.java:1583)

 

What might be causing the "Invalid SNI" error in this setup? How can I troubleshoot this issue further? PS: I have added the custom domain to etc/hosts, and it works for routing to localhost

0 REPLIES 0