nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koji Kawamura <ijokaruma...@gmail.com>
Subject Re: Use Nifi Secure S2S with proxy
Date Wed, 11 Oct 2017 01:44:15 GMT
Hi Ali,

If you need to use HTTPS, then the forward proxy should support HTTP
1.1 CONNECT method.
I've tested Squid, Apache Web Server and Apache Traffic Server before.
Squid didn't work well with S2S HTTPS because it doesn't support HTTP 1.1 fully.

Here's a Gist page that I wrote when I tested with those proxy servers:
https://gist.github.com/ijokarumawak/a0f7023225362e636f31d1376055e67c

Thanks,
Koji

On Tue, Oct 10, 2017 at 10:04 PM, Ali Nazemian <alinazemian@gmail.com> wrote:
> Thanks, Koji. Do I need to have any special requirement on the forward proxy
> or it is working with any forward proxy?
>
> On Tue, Oct 10, 2017 at 2:29 PM, Koji Kawamura <ijokarumawak@gmail.com>
> wrote:
>>
>> Hi Ali,
>>
>> A single forward proxy server can be a SPOF. Although I haven't tried
>> myself, you should be able to make it highly available by deploying
>> multiple ones and a LB in front of those (such as Squid proxies behind
>> HA proxy, I found couple of blog posts about this configuration). As
>> long as each NiFi instance talk to each other though forward proxy
>> servers, S2S load-balancing/fail-over features should work.
>>
>> You may find S2S HTTP design document [1] useful to understand how it
>> works internally.
>>
>> 1
>> https://cwiki.apache.org/confluence/display/NIFI/Support+HTTP%28S%29+as+a+transport+mechanism+for+Site-to-Site
>>
>> Regards,
>> Koji
>>
>> On Sun, Oct 8, 2017 at 4:32 PM, Ali Nazemian <alinazemian@gmail.com>
>> wrote:
>> > Hi all,
>> >
>> > I would like to use Nifi secure site to site to send traffic among
>> > different
>> > Nifi clusters around the world. However, there are some security
>> > concerns of
>> > exposing Nifi IP address to the public, and I would like to use a proxy
>> > server to redirect an S2S traffic to the destination Nifi cluster. My
>> > question is if I use a proxy server in the RPG configuration how Nifi
>> > will
>> > manage that under the hood? Can I use multiple proxy servers in a single
>> > RPG
>> > to remove SPOF? Please be advised I am not referring to use a PostHTTP
>> > on
>> > the source and ListenHTTP on the destination and use a HAproxy as a load
>> > balancing. I am referring only to use S2S and a proxy server to overcome
>> > some of the security concerns at the enterprise. However, I am afraid I
>> > may
>> > create SPOF or break load-balancing/fail-over features of Nifi S2S
>> > protocol.
>> >
>> > Regards,
>> > Ali
>
>
>
>
> --
> A.Nazemian

Mime
View raw message