Created on 10-14-2024 02:32 AM - edited 10-14-2024 07:49 AM
I made a docker compose to deploy nifi in cluster on my server.
I get the error Authentication Proxy Server not trusted
Here are my configurations
docker-compose
version: '3.8'
x-common-nifi:
environment: &nifi-env
NIFI_WEB_HTTPS_PORT: 8443
NIFI_CLUSTER_IS_NODE: "true"
NIFI_CLUSTER_NODE_PROTOCOL_PORT: 11444
NIFI_ZK_CONNECT_STRING: zookeeper:2181
NIFI_ELECTION_MAX_WAIT: 1 min
NIFI_ZK_ROOT_NODE: /nifi
NIFI_SENSITIVE_PROPS_KEY: ${KEY_SENSITIVE}
NIFI_VARIABLE_REGISTRY_PROPERTIES: http://nifi-registry:18080
AUTH: ldap
INITIAL_ADMIN_IDENTITY: 'uid=admin,ou=admins,dc=myhost,dc=dev'
#LDAP_AUTHENTICATION_STRATEGY: 'LDAPS'
LDAP_AUTHENTICATION_STRATEGY: 'SIMPLE'
LDAP_MANAGER_DN: 'cn=admin,dc=myhost,dc=dev'
LDAP_MANAGER_PASSWORD: ${ADMIN_PASSWORD}
LDAP_URL: 'ldap://openldap'
LDAP_USER_SEARCH_BASE: 'dc=myhost,dc=dev'
LDAP_USER_SEARCH_FILTER: 'uid={0}'
LDAP_IDENTITY_STRATEGY: 'USE_DN'
KEYSTORE_TYPE: JKS
KEYSTORE_PASSWORD: ${KEY_STORE}
KEYSTORE_PATH: /opt/certs/keystore.jks
TRUSTSTORE_PATH: /opt/certs/truststore.jks
TRUSTSTORE_PASSWORD: ${KEY_STORE}
TRUSTSTORE_TYPE: JKS
NIFI_WEB_PROXY_HOST: "web.nifiapp.myhost.dev,*.nifiapp.myhost.dev"
NIFI_JVM_HEAP_INIT: 512m
NIFI_JVM_HEAP_MAX: 512m
#NODE_IDENTITY: 'CN=*.nifiapp.myhost.dev'
networks: &nifi-net
- nifi_network
depends_on: &nifi-dep
- openldap
entrypoint: &nifi-entry
- "/bin/bash"
- "-c"
- "sed -i 's|<appender-ref ref=\"USER_FILE\"/>|<appender-ref ref=\"CONSOLE\"/>|' conf/logback.xml; ../scripts/start.sh"
services:
zookeeper:
image: confluentinc/cp-zookeeper:latest
hostname: zookeeper
environment:
ZOOKEEPER_SERVER_ID: 1
ZOOKEEPER_SERVERS: server.1=zookeeper:2888:3888
ZOOKEEPER_CLIENT_PORT: 2181
JVMFLAGS: -Xmx512m -Xms512m
ports:
- "7481:2181"
- "7499:8080"
volumes:
- zookeeper_data:/data
- zookeeper_datalog:/datalog
networks:
- nifi_network
nifi1:
image: apache/nifi:latest
hostname: n1.nifiapp.myhost.dev
entrypoint: *nifi-entry
ports:
- "7498:8443"
- "7400-7425:7400-7425"
environment:
<<: *nifi-env
NIFI_WEB_HTTPS_HOST: n1.nifiapp.myhost.dev
NIFI_NODE_IDENTITY: nifi1
networks: *nifi-net
depends_on: *nifi-dep
volumes:
- nifi1_logs:/opt/nifi/nifi-current/logs
- nifi1_state:/opt/nifi/nifi-current/state
- nifi1_conf:/opt/nifi/nifi-current/conf
- nifi1_database_repository:/opt/nifi/nifi-current/database_repository
- nifi1_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
- nifi1_content_repository:/opt/nifi/nifi-current/content_repository
- nifi1_provenance_repository:/opt/nifi/nifi-current/provenance_repository
- ./exports:/opt/certs
nifi2:
image: apache/nifi:latest
hostname: n2.nifiapp.myhost.dev
entrypoint: *nifi-entry
ports:
- "7497:8443"
- "7426-7451:7426-7451"
environment:
<<: *nifi-env
NIFI_WEB_HTTPS_HOST: n2.nifiapp.myhost.dev
NIFI_NODE_IDENTITY: nifi2
networks: *nifi-net
depends_on: *nifi-dep
volumes:
- nifi2_logs:/opt/nifi/nifi-current/logs
- nifi2_state:/opt/nifi/nifi-current/state
- nifi2_conf:/opt/nifi/nifi-current/conf
- nifi2_database_repository:/opt/nifi/nifi-current/database_repository
- nifi2_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
- nifi2_content_repository:/opt/nifi/nifi-current/content_repository
- nifi2_provenance_repository:/opt/nifi/nifi-current/provenance_repository
- ./exports:/opt/certs
nifi3:
image: apache/nifi:latest
hostname: n3.nifiapp.myhost.dev
entrypoint: *nifi-entry
ports:
- "7496:8443"
- "7452-7475:7452-7475"
networks: *nifi-net
depends_on: *nifi-dep
environment:
<<: *nifi-env
NIFI_WEB_HTTPS_HOST: n3.nifiapp.myhost.dev
NIFI_NODE_IDENTITY: nifi3
volumes:
- nifi3_logs:/opt/nifi/nifi-current/logs
- nifi3_state:/opt/nifi/nifi-current/state
- nifi3_conf:/opt/nifi/nifi-current/conf
- nifi3_database_repository:/opt/nifi/nifi-current/database_repository
- nifi3_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
- nifi3_content_repository:/opt/nifi/nifi-current/content_repository
- nifi3_provenance_repository:/opt/nifi/nifi-current/provenance_repository
- ./exports:/opt/certs
nifi-registry:
image: apache/nifi-registry:latest
ports:
- "7495:18080"
volumes:
- nifi-registry-data:/opt/nifi-registry/data
- nifi-registry-conf:/opt/nifi-registry/conf
- nifi-registry-logs:/opt/nifi-registry/logs
networks:
- nifi_network
depends_on:
- openldap
openldap:
image: osixia/openldap:1.5.0
hostname: openldap
environment:
LDAP_ORGANISATION: MY ORG
LDAP_DOMAIN: myhost.dev
LDAP_ADMIN_PASSWORD: "${ADMIN_PASSWORD}"
LDAP_CONFIG_PASSWORD: "${ADMIN_PASSWORD}"
LDAP_ADMIN_CN: admin
LDAP_TLS_VERIFY_CLIENT: allow
LDAP_TLS: "false"
LDAP_BASE_DN: dc=myhost,dc=dev
ports:
- "389:389" # Port LDAP
volumes:
- openldap-data:/var/lib/ldap
- openldap-config:/etc/ldap/slapd.d
networks:
- nifi_network
command: ["--loglevel", "debug","--copy-service"]
ldap-user-manager:
image: wheelybird/ldap-user-manager:v1.5
environment:
- LDAP_URI=ldap://openldap
- LDAP_BASE_DN=dc=myhost,dc=dev
- LDAP_ADMIN_BIND_DN=cn=admin,dc=myhost,dc=dev
- LDAP_ADMIN_BIND_PWD=${ADMIN_PASSWORD}
- LDAP_ADMINS_GROUP=cn=admin,ou=MY ORG,dc=myhost,dc=dev
- LDAP_REQUIRE_STARTTLS=FALSE
ports:
- "7494:80"
- "7493:443"
depends_on:
- openldap
networks:
- nifi_network
platform: linux/amd64
networks:
nifi_network:
name: 'nifi_tls_network'
volumes:
nifi1_logs:
nifi1_state:
nifi1_conf:
nifi1_database_repository:
nifi1_flowfile_repository:
nifi1_content_repository:
nifi1_provenance_repository:
nifi2_logs:
nifi2_state:
nifi2_conf:
nifi2_database_repository:
nifi2_flowfile_repository:
nifi2_content_repository:
nifi2_provenance_repository:
nifi3_logs:
nifi3_state:
nifi3_conf:
nifi3_database_repository:
nifi3_flowfile_repository:
nifi3_content_repository:
nifi3_provenance_repository:
zookeeper_data:
zookeeper_datalog:
nifi-registry-data:
nifi-registry-conf:
nifi-registry-logs:
openldap-data:
openldap-config:
postgres_data:
on my server I use a Nginx that configure below
upstream nifibalancer {
ip_hash;
server localhost:7498;
server localhost:7497;
server localhost:7486;
}
server {
listen 443 ssl;
server_name ~^p(?<port>\d+)\.nifiapp.myhost\.dev$;
ignore_invalid_headers off;
# Vérification de l'intervalle de ports autorisés (de 8900 à 8999)
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if ($port ~* "^(74[0-8]{1}[0-9]{1})$") {
proxy_pass http://localhost:$port;
}
return 403; # Refuse les requêtes en dehors de cet intervalle
}
access_log /var/log/nginx/nifiapp-listener-app-access.log;
error_log /var/log/nginx/nifiapp-listener-app-error.log;
ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}
server {
listen 443 ssl;
server_name web.nifiapp.myhost.dev;
ignore_invalid_headers off;
location / {
proxy_pass https://nifibalancer/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $host;
proxy_set_header X-ProxyPort $port;
#proxy_set_header X-ProxyContextPath /;
# Add ProxiedEntitiesChain using client certificate's distinguished name (DN)
proxy_set_header X-ProxiedEntitiesChain $ssl_client_s_dn;
}
access_log /var/log/nginx/nifiapp-app-access.log;
error_log /var/log/nginx/nifiapp-app-error.log;
ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}
server {
listen 443 ssl;
server_name zookeeper.nifiapp.myhost.dev;
ignore_invalid_headers off;
location / {
proxy_pass http://localhost:7499;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Original-URI $request_uri;
}
error_page 404 =200 /index.html;
access_log /var/log/nginx/nifiapp-zookeeper-app-access.log;
error_log /var/log/nginx/nifiapp-zookeeper-app-error.log;
ssl_certificate /etc/letsencrypt/live/nifiapp.myhost.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nifiapp.myhost.dev/privkey.pem;
}
Created 10-14-2024 10:34 PM
@afidos, Welcome to our community! To help you get the best possible answer, I have tagged in our NiFi experts @SAMSAL @MattWho who may be able to assist you further.
Please feel free to provide any additional information or details about your query, and we hope that you will find a satisfactory solution to your question.
Regards,
Vidya Sargur,Created on 10-15-2024 08:24 AM - edited 10-15-2024 08:25 AM
I create my first user with this script
#!/bin/bash
group='admins'
username='admin'
uidNumber=1001
gidNumber=1001
firstName='My First'
lastName="My Last"
password="password"
ldapadd -x -D "cn=admin,dc=myhost,dc=dev" -w $password <<EOF
dn: ou=$group,dc=myhost,dc=dev
objectClass: organizationalUnit
ou: $group
EOF
cat <<EOF
dn: uid=$username,ou=$group,dc=myhost,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
uid: $username
cn: $username
sn: $lastName
givenName: $firstName
uidNumber: $uidNumber
gidNumber: $gidNumber
homeDirectory: /home/$username
loginShell: /bin/bash
userPassword: $(slappasswd -s $password)
EOF
# Ajouter l'utilisateur via ldapadd
ldapadd -x -D "cn=admin,dc=myhost,dc=dev" -w $password <<EOF
dn: uid=$username,ou=$group,dc=myhost,dc=dev
objectClass: inetOrgPerson
objectClass: posixAccount
uid: $username
cn: $username
sn: $lastName
givenName: $firstName
uidNumber: $uidNumber
gidNumber: $gidNumber
homeDirectory: /home/$username
loginShell: /bin/bash
userPassword: $(slappasswd -s $password)
EOF