nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koji Kawamura <>
Subject Re: Secure NiFi 1.5 Behind NGINX/HAProxy
Date Thu, 08 Feb 2018 02:52:35 GMT
Hi Ryan,

Although I am not sure why you'd want to use http between the clients
and Nginx, I was able to setup similar environment.
I used LDAP provider instead of OpenID, but OpenID should work as well.
The key is NOT provide any client certificate from clients
(browser/API) and Nginx to NiFi, so that NiFi will ask username and

I wrote a Gist entry including Nginx configuration. I hope it will be
helpful for you.


On Thu, Feb 8, 2018 at 6:55 AM, Ryan H
<> wrote:
> Hi All,
> This may trivial, but I'm asking anyways for clarity. I am setting up a
> secure instance of NiFi behind NGINX for reverse proxy capabilities. I have
> a certain requirement that traffic coming in will hit NGINX as HTTP on port
> 80. NGINX will need to forward the request to the secure instance as HTTPS
> on port 8443.
> So: browser/API -> http -> NGINX -> https -> Secure NiFi
> Currently I am using the tls-toolkit in client/server mode for the secure
> instance to get its certs. I plan to have an OpenID provider configured for
> AuthN.
> From what I understand I will need to place the client key and certificate
> as well as server key and certificate on NGINX. This may be a bad
> assumption, but it's where I'm at, at this point.
> My question is: what would act as each of the key/certificates for both the
> client/server to be placed on NGINX based on what is generated from the
> tls-toolkit (which keys/certs would be extracted from each of the generated
> files/stores)? Is what I'm doing feasible (I'm assuming it is, but open to
> being wrong). I've tried a few different extractions from the keystore and
> truststore, but this is a weaker area of expertise for me and would rather
> be clear on what I'm doing.
> Any help is greatly appreciated.
> Cheers,
> Ryan H

View raw message