My purpose is to collect some changed data of remote database to a nifi instance via site-to-site and internet. How could I protect the input port on the internet via user/password ? I'm not meaning ssl connection but prevent unauthorized invokation.
Is site-to-site suitable for this situation ? or use http processors instead of s2s ?
At last, I deploy a squid server as http proxy within the local network of central nifi server. With following configuration options, squid was restricted to invoke only nifi service and authenticatable:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/.htpasswd
acl nifi_host dst <nifi host ip address>
acl nifi_port port <nifi port>
acl auth_user proxy_auth REQUIRED
http_access allow nifi_host nifi_port auth_user
http_access deny all
At the remote database side, config nifi site-to-site connection using http proxy with user and password.
By now, this solution works fine.