Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi UI load balance with HAProxy to CONNECTED nodes only

Labels:
avatar
author-rank asand3r
Explorer

Created ‎07-29-2025 03:09 AM

Hello, guys!

I still have a three-node cluster Apache NiFi 1.18.0 (yeap, upgrade task in by backlog =)) and trying to setup it behind HAProxy just for UI (/nifi endpoint).

I wanna to implement a health check to balance user requests only to nodes in CONNECTED status to avoid issues when nodes moves to maintenance (offload, disconnect).

Is it good idea, right? Or maybe I do some overengineering things? 😃

By the way, I have next HAProxy config file:

frontend nifi_443
  bind *:443 ssl crt /etc/haproxy/ssl/cert_file.pem
  http-request set-path /nifi if { path / }
  mode http
  option httplog
  acl DST_IP dst 10.0.0.10
  use_backend nifi_ui_9443 if DST_IP

backend nifi_ui_9443
  mode http
  option httpchk
  http-check send meth GET uri /nifi-api/access/config ver HTTP/1.1  hdr Host nifi-cluster.corp.company.com
  http-check expect status 200
  cookie SERVERID insert indirect nocache
  balance leastconn

  server srv_1 10.0.0.1:9443 check ssl verify none cookie web1
  server srv_2 10.0.0.2:9443 check ssl verify none cookie web2
  server srv_3 10.0.0.3:9443 check ssl verify none cookie web3

Basically it works fine when all nodes are CONNECTED, but if some node goes to DISCONNECTED state, http-check to selected API method still returns 200 and HAProxy continues to route users to that node.

So, give an advice, please. How can I configure HAProxy health-check to get expected behavior? Thanks a lot.

465 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-29-2025 07:23 AM

@asand3r 

A node must be "disconnected" before it can be offloaded.  Only a running node can be offloaded.  So as long as a node is running. it's UI will be accessible.

A couple options:

  1. https://<nifi-node>:<nifi-port>/nifi-api/controller/cluster. <-- this end point when hit will return the following type responses:
    • If node is connected, it will return json that includes the connection status of all nodes that are part of cluster.  So this response could be parsed to see if any nodes are disconnected. So you could parse status of all nodes from a single connected node's response
    • If node is not connected, it will return "Only a node connected to a cluster can process the request" which tells you that node is disconnected.
  2. https://<nifinode>:<nifi-port>/nifi-api/flow/cluster/summary
    • If node is connected, it will return a response like this:
       {"clusterSummary":{"connectedNodes":"3 / 3","connectedNodeCount":3,"totalNodeCount":3,"connectedToCluster":true,"clustered":true}}
    • If node is disconnected, it will return a response like this:
      {"clusterSummary":{"connectedNodeCount":0,"totalNodeCount":0,"connectedToCluster":false,"clustered":true}}
    • You'll need to parse the responses for connectedToCluster. If true use that node's UI, if false, exclude that node's UI.

  3. Of course if node is completely down, above will not help unless you mark as unavailable if no response.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

442 Views
4 REPLIES 4

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-29-2025 07:23 AM

@asand3r 

A node must be "disconnected" before it can be offloaded.  Only a running node can be offloaded.  So as long as a node is running. it's UI will be accessible.

A couple options:

  1. https://<nifi-node>:<nifi-port>/nifi-api/controller/cluster. <-- this end point when hit will return the following type responses:
    • If node is connected, it will return json that includes the connection status of all nodes that are part of cluster.  So this response could be parsed to see if any nodes are disconnected. So you could parse status of all nodes from a single connected node's response
    • If node is not connected, it will return "Only a node connected to a cluster can process the request" which tells you that node is disconnected.
  2. https://<nifinode>:<nifi-port>/nifi-api/flow/cluster/summary
    • If node is connected, it will return a response like this:
       {"clusterSummary":{"connectedNodes":"3 / 3","connectedNodeCount":3,"totalNodeCount":3,"connectedToCluster":true,"clustered":true}}
    • If node is disconnected, it will return a response like this:
      {"clusterSummary":{"connectedNodeCount":0,"totalNodeCount":0,"connectedToCluster":false,"clustered":true}}
    • You'll need to parse the responses for connectedToCluster. If true use that node's UI, if false, exclude that node's UI.

  3. Of course if node is completely down, above will not help unless you mark as unavailable if no response.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

443 Views

avatar
author-rank asand3r
Explorer

Created ‎07-29-2025 10:27 AM

But there methods requires authentication. As I know it's not possible to create internal NiFi service user with persistent auth token to make a health check with it. So, right way is HAProxy agent check

426 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎07-30-2025 08:38 AM

@asand3r 

Use a client certificate eliminates need for token when connecting with NiFi.
A secured NiFi will always want a client certificate first and only use other authentication methods when a client certificate is not presented in the TSL exchange.  This is how NiFi node perform authorized actions between nodes. 

396 Views

avatar
author-rank asand3r
Explorer

Created on ‎07-31-2025 01:58 AM - edited ‎07-31-2025 01:58 AM

OK, @MattWho, thanks for your help.

376 Views
0 Kudos
Announcements
Community Announcements
June 2021 Community Highlights
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
Join Us at CommunityOverCode Asia 2025: Exploring the Future...
View More Announcements