Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How do I configure Apache NiFi nifi.web.proxy.host when running in a Docker container?

How do I configure Apache NiFi nifi.web.proxy.host when running in a Docker container?

New Contributor

I have started Apache NiFi in a container successfully with the command

 

docker run --name nifi -p 9090:9090 -d -e NIFI_WEB_HTTP_PORT='9090' apache/nifi:latest

 

and can connect to the UI on `http://localhost:9090/nifi` - however, my company only allows HTTPS connections between subnets and so I am using Nginx to reverse proxy the https calls to the NiFi container with the following config:

 

location /nifi/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi/";
proxy_pass http://mercury-dev:9090/nifi/;
}
location /nifi-docs/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-docs/";
proxy_pass http://mercury-dev:9090/nifi-docs/;
}
location /nifi-api/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-api/";
proxy_pass http://mercury-dev:9090/nifi-api/;
}

 


When I browse to `https://mercury-dev/nifi` from a remote machine, the NiFi UI starts to load, and then fails. The on-screen error says `An unexpected error has occurred. Please check the logs for additional details.` and the Chrome developer console reports:

 

/nifi-api/access/kerberos:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/access/oidc/exchange:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/flow/about:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)
/nifi-api/flow/process-groups/root:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

 

When I log into the container and look at the log files, I see a number of errors saying, for example ERROR [NiFi Web Server-21] org.apache.nifi.web.util.WebUtils The provided context path [/nifi-api] was not whitelisted

I have found references in the NiFi documentation to whitelisting the host and content using the `nifi.web.proxy.host` and `nifi.web.proxy.context.path` properties, but I can't find description of how to do it.

  • Within the container there is no editor available to edit the properties file (and anyway, it's really bad practice)
  • The documentation mentions setting them through the Global menu on the UI, but I see no obvious option to do this.
  • I may be able to supply environment variables to the container command line, but can't find any reference to doing this and therefore what variable names to use.

How can I set these properties, or otherwise get this container running behind the HTTPS proxy?

Thanks!

1 REPLY 1
Highlighted

Re: How do I configure Apache NiFi nifi.web.proxy.host when running in a Docker container?

Expert Contributor

Hi @Ettery 

  • Can you try to add those properties in nifi.properties?
  • the Docker configuration has been updated to allow proxy whitelisting from the run command
  • the host header protection is only enforced on "secured" NiFi instances. This should make it much easier for users to quickly deploy sandbox environments like you are doing in this case
  • Even you can try with: -e NIFI_WEB_HTTP_HOST=<host>  in docker run command

 

docker run --name nifi -p 9090:9090 -d -e NIFI_WEB_HTTP_PORT='9090' -e NIFI_WEB_HTTP_HOST=<host> apache/nifi:latest

 

In GitHub example configuration and documentation for NiFi running behind a reverse proxy that you may be interested in. For more detail refer stackoverflow1 and stackoverflow2

Don't have an account?
Coming from Hortonworks? Activate your account here