nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koji Kawamura <ijokaruma...@gmail.com>
Subject Re: Secure NiFi 1.5 Behind NGINX/HAProxy
Date Thu, 08 Feb 2018 02:52:35 GMT
Hi Ryan,

Although I am not sure why you'd want to use http between the clients
and Nginx, I was able to setup similar environment.
I used LDAP provider instead of OpenID, but OpenID should work as well.
The key is NOT provide any client certificate from clients
(browser/API) and Nginx to NiFi, so that NiFi will ask username and
password.

I wrote a Gist entry including Nginx configuration. I hope it will be
helpful for you.
https://gist.github.com/ijokarumawak/d14e5b28a16d363d6c001a92b7e73fe4

Thanks,
Koji

On Thu, Feb 8, 2018 at 6:55 AM, Ryan H
<ryan.howell.development@gmail.com> wrote:
> Hi All,
>
> This may trivial, but I'm asking anyways for clarity. I am setting up a
> secure instance of NiFi behind NGINX for reverse proxy capabilities. I have
> a certain requirement that traffic coming in will hit NGINX as HTTP on port
> 80. NGINX will need to forward the request to the secure instance as HTTPS
> on port 8443.
>
> So: browser/API -> http -> NGINX -> https -> Secure NiFi
>
> Currently I am using the tls-toolkit in client/server mode for the secure
> instance to get its certs. I plan to have an OpenID provider configured for
> AuthN.
>
> From what I understand I will need to place the client key and certificate
> as well as server key and certificate on NGINX. This may be a bad
> assumption, but it's where I'm at, at this point.
>
> My question is: what would act as each of the key/certificates for both the
> client/server to be placed on NGINX based on what is generated from the
> tls-toolkit (which keys/certs would be extracted from each of the generated
> files/stores)? Is what I'm doing feasible (I'm assuming it is, but open to
> being wrong). I've tried a few different extractions from the keystore and
> truststore, but this is a weaker area of expertise for me and would rather
> be clear on what I'm doing.
>
> Any help is greatly appreciated.
>
> Cheers,
>
> Ryan H

Mime
View raw message