nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan H <ryan.howell.developm...@gmail.com>
Subject Re: Secure NiFi 1.5 Behind NGINX/HAProxy
Date Thu, 08 Feb 2018 03:08:25 GMT
Hi Koji,

Yes, this is exactly what I am looking for and almost where I got to. The
problem that I am facing is how to obtain/generate the the nginx.crt and
nginx.key for the ssl_certificate and ssl_certificate_key in NGINX (per
your example provided). The other piece that I was not sure on was what
directive the nifi-cert.pem should go to (or any of the other generated
certs), which you cleared up. FWIW, the http between clients is an
infrastructure thing and it will only be http within a trusted area (for
now). So really as of now, its really browser/api -> https -> protected
area/dmz/proxy -> http -> nginx -> https -> nifi.

Can you shed light on the nginx.crt and nginx.key (how to get these based
on what I have)? Thanks in advance!

server {
listen 8443 ssl;
server_name nginx.local;
ssl_certificate /etc/nginx/*nginx.crt;*
ssl_certificate_key /etc/nginx/*nginx.key;*
...
}

Cheers,

Ryan H

On Wed, Feb 7, 2018 at 9:52 PM, Koji Kawamura <ijokarumawak@gmail.com>
wrote:

> Hi Ryan,
>
> Although I am not sure why you'd want to use http between the clients
> and Nginx, I was able to setup similar environment.
> I used LDAP provider instead of OpenID, but OpenID should work as well.
> The key is NOT provide any client certificate from clients
> (browser/API) and Nginx to NiFi, so that NiFi will ask username and
> password.
>
> I wrote a Gist entry including Nginx configuration. I hope it will be
> helpful for you.
> https://gist.github.com/ijokarumawak/d14e5b28a16d363d6c001a92b7e73fe4
>
> Thanks,
> Koji
>
> On Thu, Feb 8, 2018 at 6:55 AM, Ryan H
> <ryan.howell.development@gmail.com> wrote:
> > Hi All,
> >
> > This may trivial, but I'm asking anyways for clarity. I am setting up a
> > secure instance of NiFi behind NGINX for reverse proxy capabilities. I
> have
> > a certain requirement that traffic coming in will hit NGINX as HTTP on
> port
> > 80. NGINX will need to forward the request to the secure instance as
> HTTPS
> > on port 8443.
> >
> > So: browser/API -> http -> NGINX -> https -> Secure NiFi
> >
> > Currently I am using the tls-toolkit in client/server mode for the secure
> > instance to get its certs. I plan to have an OpenID provider configured
> for
> > AuthN.
> >
> > From what I understand I will need to place the client key and
> certificate
> > as well as server key and certificate on NGINX. This may be a bad
> > assumption, but it's where I'm at, at this point.
> >
> > My question is: what would act as each of the key/certificates for both
> the
> > client/server to be placed on NGINX based on what is generated from the
> > tls-toolkit (which keys/certs would be extracted from each of the
> generated
> > files/stores)? Is what I'm doing feasible (I'm assuming it is, but open
> to
> > being wrong). I've tried a few different extractions from the keystore
> and
> > truststore, but this is a weaker area of expertise for me and would
> rather
> > be clear on what I'm doing.
> >
> > Any help is greatly appreciated.
> >
> > Cheers,
> >
> > Ryan H
>

Mime
View raw message