Nginx处理器后面的Docker上的Nifi配置未打开 [英] Nifi on docker behind nginx processor configure not opening

问题描述

后续指南( https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/)来设置nginx基本身份验证，但是我不是为nifi-registry代理而是将其设置为nifi.身份验证正在运行并且可以访问页面，但是处理器以某种方式无法打开窗口.该问题是由于nginx引起的，因为可以通过HTTP暴露的端口直接访问nifi，而不是仅在nginx代理后面.

Followed guide ( https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/ ) to set up nginx basic auth, however instead of proxy for nifi-registry I set it up for nifi. Auth is working and page is accessible but somehow processor configure window not opening. The issue is due to nginx since direct access to nifi through HTTP exposed ports works ,just not behind nginx proxy.

以下是我正在使用的配置:

below is the config I am using:

server {
  listen 9988 ssl;

  root /usr/share/nginx/html;

  index index.html;

  server_name _;

  ssl_certificate /etc/nginx/server_cert.pem;
  ssl_certificate_key /etc/nginx/server_key.pem;

  ssl_client_certificate /etc/nginx/client_cert.pem;
  ssl_verify_client optional;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;

  # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";

  # -!MEDIUM：exclude encryption cipher suites using 128 bit encryption.
  # -!LOW：   exclude encryption cipher suites using 64 or 56 bit encryption algorithms
  # -!EXPORT： exclude export encryption algorithms including 40 and 56 bits algorithms.
  # -!aNULL：  exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
  # These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
  # -!eNULL：exclude the "NULL" ciphers that is those offering no encryption.
  # Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
  # @STRENGTH：sort the current cipher list in order of encryption algorithm key length.

  location / {
    if ($ssl_client_verify = SUCCESS) {
      set $auth_basic off;
    }
    if ($ssl_client_verify != SUCCESS) {
      set $auth_basic "Restricted Content. Please provide Nifi Authentication:";
    }

    auth_basic $auth_basic;
    auth_basic_user_file /etc/nginx/nginx.htpasswd;

    proxy_pass    http://172.18.0.77:8181/; # actual container ip/port of nifi
    proxy_set_header   Host                 $host;
    proxy_set_header   X-Real-IP            $remote_addr;
    proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto    $scheme;
    proxy_set_header   X-Forwarded-User     $remote_user;
    proxy_set_header   Authorization        "";
    proxy_set_header   X-ProxyScheme        $scheme;
    proxy_set_header   X-ProxyHost          $hostname;
    proxy_set_header   X-ProxyPort          $server_port;
    proxy_set_header   X-ProxyContextPath   "/";
  }
}

我尝试将nifi/host/nginx的容器ip传递给X-ProxyHost，但没有给出无法与nifi进行通信"的提示，立即旋转一段时间，最终给出相同的错误.这里需要修改什么?任何帮助将不胜感激.

I tried passing container ip of nifi/host/nginx for X-ProxyHost but instead of giving "Unable to communicate to nifi" immediately it spins for a while and eventually gives the same error. What needs to be modified here? Any help would be appreciated.

推荐答案

nginx菜鸟在这里！经过多种IP/主机名组合的摆弄后，我可以通过以下配置更改来修复它.必须将nifi env属性添加到docker-compose:

nginx noob here! After much fiddling with multiple ip/hostname combinations I was able to fix it with below config changes. Had to add nifi env properties to the docker-compose:

environment:
  - NIFI_REMOTE_INPUT_HOST=<private ip of nifi container e.g. 172.18.0.77>
  - NIFI_WEB_PROXY_CONTEXT_PATH=/
  - NIFI_WEB_HTTP_HOST=<private ip of nifi container>
  - NIFI_WEB_HTTP_PORT=8181

对于nginx配置，将proxy_set_header修改为"localhost"；(因为nginx服务器需要将proxyHost定义为回送服务器):

And for nginx config: modified proxy_set_header to "localhost" (since nginx server needed proxyHost defined as loopback server):

proxy_set_header X-ProxyHost localhost;

希望这可以帮助在同一条船上挠头的人:)

Hope this helps someone scratching their head who are in the same boat :)

这篇关于Nginx处理器后面的Docker上的Nifi配置未打开的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！