I have started Apache NiFi in a container successfully with the command
docker run --name nifi -p 9090:9090 -d -e NIFI_WEB_HTTP_PORT='9090' apache/nifi:latest
and can connect to the UI on http://localhost:9090/nifi - however, my company only allows HTTPS connections between subnets and so I am using Nginx to reverse proxy the https calls to the NiFi container with the following config:
location /nifi/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi/";
proxy_pass http://mercury-dev:9090/nifi/;
}
location /nifi-docs/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-docs/";
proxy_pass http://mercury-dev:9090/nifi-docs/;
}
location /nifi-api/ {
proxy_set_header X-ProxyScheme "https";
proxy_set_header X-ProxyHost "mercury-dev";
proxy_set_header X-ProxyPort "443";
proxy_set_header X-ProxyContextPath "/nifi-api/";
proxy_pass http://mercury-dev:9090/nifi-api/;
}
When I browse to https://mercury-dev/nifi from a remote machine, the NiFi UI starts to load, and then fails. The on-screen error says An unexpected error has occurred. Please check the logs for additional details. and the Chrome developer console reports:
/nifi-api/access/kerberos:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/access/oidc/exchange:1 Failed to load resource: the server responded with a status of 409 (Conflict)
/nifi-api/flow/about:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)
/nifi-api/flow/process-groups/root:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)
When I log into the container and look at the log files, I see a number of errors saying, for example ERROR [NiFi Web Server-21] org.apache.nifi.web.util.WebUtils The provided context path [/nifi-api] was not whitelisted
I have found references in the NiFi documentation to whitelisting the host and content using the nifi.web.proxy.host and nifi.web.proxy.context.path properties, but I can't find description of how to do it.
How can I set these properties, or otherwise get this container running behind the HTTPS proxy?
The Docker container doesn't expose all the settings you need to modify directly for this use case, so you have a few options (responding to your numbered points).
(General) It looks like you provided configurations for multiple context paths, but not the root path (/). As stated in the documentation, there are many component context paths inside the NiFi application, so when putting it behind a proxy, the root path should be proxied.
nifi.properties settings). There is no way to configure those two settings you listed through the UI. start.sh file lists the environment variables accepted by the Docker image at this time. To add more, please submit a PR or open a Jira requesting an improvement. Koji Kawamura has provided example configuration and documentation for NiFi running behind a reverse proxy that you may be interested in.