Support Questions

Ettery · ‎06-05-2020

I have started Apache NiFi in a container successfully with the command

docker run --name nifi -p 9090:9090 -d -e NIFI_WEB_HTTP_PORT='9090' apache/nifi:latest

and can connect to the UI on `http://localhost:9090/nifi` - however, my company only allows HTTPS connections between subnets and so I am using Nginx to reverse proxy the https calls to the NiFi container with the following config:

location /nifi/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi/";
proxy_pass http://mercury-dev:9090/nifi/;
}
location /nifi-docs/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-docs/";
proxy_pass http://mercury-dev:9090/nifi-docs/;
}
location /nifi-api/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-api/";
proxy_pass http://mercury-dev:9090/nifi-api/;
}

When I browse to `https://mercury-dev/nifi` from a remote machine, the NiFi UI starts to load, and then fails. The on-screen error says `An unexpected error has occurred. Please check the logs for additional details.` and the Chrome developer console reports:

/nifi-api/access/kerberos:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/access/oidc/exchange:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/flow/about:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)
/nifi-api/flow/process-groups/root:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

When I log into the container and look at the log files, I see a number of errors saying, for example ERROR [NiFi Web Server-21] org.apache.nifi.web.util.WebUtils The provided context path [/nifi-api] was not whitelisted

I have found references in the NiFi documentation to whitelisting the host and content using the `nifi.web.proxy.host` and `nifi.web.proxy.context.path` properties, but I can't find description of how to do it.

Within the container there is no editor available to edit the properties file (and anyway, it's really bad practice)
The documentation mentions setting them through the Global menu on the UI, but I see no obvious option to do this.
I may be able to supply environment variables to the container command line, but can't find any reference to doing this and therefore what variable names to use.

How can I set these properties, or otherwise get this container running behind the HTTPS proxy?

Thanks!

jagadeesan · ‎06-06-2020

Hi @Ettery

Can you try to add those properties in nifi.properties?
the Docker configuration has been updated to allow proxy whitelisting from the run command
the host header protection is only enforced on "secured" NiFi instances. This should make it much easier for users to quickly deploy sandbox environments like you are doing in this case
Even you can try with: -e NIFI_WEB_HTTP_HOST=<host> in docker run command

docker run --name nifi -p 9090:9090 -d -e NIFI_WEB_HTTP_PORT='9090' -e NIFI_WEB_HTTP_HOST=<host> apache/nifi:latest

In GitHub example configuration and documentation for NiFi running behind a reverse proxy that you may be interested in. For more detail refer stackoverflow1 and stackoverflow2

Cloudera Community

Support Questions

How do I configure Apache NiFi nifi.web.proxy.host when running in a Docker container?