Support Questions

asand3r · ‎05-29-2025

Hello, everyone!

We have a three-node Apache NiFi cluster with LDAP auth and now, users must enter node name to access NiFi UI, e.g.:

https://nifi-node-01.company.com:9443/nifi

I'd like to do it more friendly for them and create some LB with HAProxy/Nginx etc. You know, to access NiFi with address like that:

https://nifi-service.company.com

I've read a lot of articles about LB, but all of them talk about LB for data flow, not for UI. So, what do you think - it is OK? Are where any potential pitfalls?

MattWho · ‎05-29-2025

@asand3r

It is very common to use a load balancer in front of NiFi's UI, but it is necessary to configured Session Affinity (sticky sessions) in the load balancer to make sure all subsequent requests are directed to same node in same session.

When you login to a NiFi node using ldap auth, that specific node issues you a user token and stores a corresponding server side token. That server side token is only present on the one node that handled the user authentication. So without session affinity configured redirects within the same session are likely to end up going to other nodes which will reject the client token.

The server token is how NiFi controls access expiration since it is not possible to guarantee a client expires and stops using the client token issued. The NiFi node will remove the server side token at expiration or when user clicks logout.

You'll also want to make sure that your NiFi node certificates also include a SAN entry for:

nifi-service.company.com

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

MattWho · ‎05-29-2025

@asand3r

It is very common to use a load balancer in front of NiFi's UI, but it is necessary to configured Session Affinity (sticky sessions) in the load balancer to make sure all subsequent requests are directed to same node in same session.

When you login to a NiFi node using ldap auth, that specific node issues you a user token and stores a corresponding server side token. That server side token is only present on the one node that handled the user authentication. So without session affinity configured redirects within the same session are likely to end up going to other nodes which will reject the client token.

The server token is how NiFi controls access expiration since it is not possible to guarantee a client expires and stops using the client token issued. The NiFi node will remove the server side token at expiration or when user clicks logout.

You'll also want to make sure that your NiFi node certificates also include a SAN entry for:

nifi-service.company.com

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

asand3r · ‎05-30-2025

Thanks a lot for your answer, @MattWho. 😃

Cloudera Community

Support Questions

Is it OK to configure Load balance for NiFi UI?