Search code examples
sslapache-nifihaproxyapache-nifi-registry

Can't authenticate for NiFi/NiFi Registry instance sitting behind HAProxy server

I have a NiFi and NiFi Registry instance sitting behind a HAProxy server. The NiFi instances are both secured using SSL. I am not able to pass the SSL information from the proxy server to the NiFi server. I also tried SSL Passthrough but that has some other limitations further on the line.

My current HAProxy config looks like this:

frontend https_in
    bind *:443 ssl crt /etc/ssl/nifi/nifi-server.pem verify required ca-file /etc/ssl/nifi/nifi-ca.cert
    mode http
    option httplog
    option http-server-close

    acl is_registry path_beg /nifi-registry

    use_backend nifi-registry if is_registry
    default_backend nifi

backend nifi-registry
   mode http
   balance roundrobin
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request set-header X-Forwarded-Proto https if { ssl_fc }
   http-request set-header X-ProxyScheme https
   http-request set-header X-ProxyHost xx.xxx.xxx.xx
   http-request set-header X-ProxyPort 443

   server registry01 172.xx.xx.xxx:18443 check ssl verify none

When I browse to https://xx.xxx.xxx.xx:443/nifi-registry and select the client certificate I get the NiFi Registry UI but not logged in with my client user. I am not able to pass my SSL information to the NiFi servers. Following the documentation I've set some headers but they don't seem to have effect.

Am I missing something here ?

EDIT

So as suggested in the comments and mentioned above I also tried SSL Passthrough in tlc mode. With this I manage to pass the SSL authentication to the NiFi servers but I get in trouble with "invalid host header" message.

My HAProxy config:

frontend http_in
    bind *:80 v4v6
    mode http
    redirect scheme https if !{ ssl_fc }

frontend nifi_registry_in
    bind *:1443 v4v6
    mode tcp
    option tcplog

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nifi_registry

frontend nifi_in
    bind *:2443 v4v6
    mode tcp
    option tcplog

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    default_backend nifi

backend nifi_registry
   mode tcp
   balance roundrobin
   server registry01 xxx.xx.xx.xxx:18443 check

backend nifi
    mode tcp
    balance roundrobin
    server nifi01 xxx.xx.xx.xxx:9443 check

When browsing to the [public-haproxy-server-domain]:1443 I get the registry ui after authentication. When browsing to the [public-haproxy-server-domain]:2443 I get the following error after authentication.

My NiFi config is

nifi.web.https.host=xxx.xx.xx.xxx
nifi.web.https.port=9443
nifi.web.https.network.interface.default=
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=
nifi.web.proxy.host=[public-haproxy-server-domain]:2443

enter image description here

Solution

  • So I've figured it out and I feel really stupid on this one. On the other hand I don't find this well documented. So I will post my answer here for other people in need.

    Apparently for the nifi.web.proxy.host setting to work, the nifi.web.proxy.context.path setting should also be set. Simply putting a '/' as a value for this and everything works as expected.

    nifi.web.proxy.context.path=/
nifi.web.proxy.host=[public-haproxy-server-domain]:2443