nginx 处理器后面的 docker 上的 Nifi 配置未打开 [英] Nifi on docker behind nginx processor configure not opening

问题描述

遵循指南(https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/ ) 来设置 nginx 基本身份验证，但是我不是为 nifi-registry 设置代理，而是为 nifi 设置它.身份验证正在工作并且页面可以访问，但不知何故处理器配置窗口未打开.这个问题是由于 nginx 造成的，因为通过暴露的 HTTP 端口直接访问 nifi 是可行的，只是不在 nginx 代理后面.

Followed guide ( https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/ ) to set up nginx basic auth, however instead of proxy for nifi-registry I set it up for nifi. Auth is working and page is accessible but somehow processor configure window not opening. The issue is due to nginx since direct access to nifi through HTTP exposed ports works ,just not behind nginx proxy.

以下是我正在使用的配置:

below is the config I am using:

server {
  listen 9988 ssl;

  root /usr/share/nginx/html;

  index index.html;

  server_name _;

  ssl_certificate /etc/nginx/server_cert.pem;
  ssl_certificate_key /etc/nginx/server_key.pem;

  ssl_client_certificate /etc/nginx/client_cert.pem;
  ssl_verify_client optional;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # enables server-side protection from BEAST attacks
  ssl_prefer_server_ciphers on;

  # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";

  # -!MEDIUM：exclude encryption cipher suites using 128 bit encryption.
  # -!LOW：   exclude encryption cipher suites using 64 or 56 bit encryption algorithms
  # -!EXPORT： exclude export encryption algorithms including 40 and 56 bits algorithms.
  # -!aNULL：  exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
  # These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
  # -!eNULL：exclude the "NULL" ciphers that is those offering no encryption.
  # Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
  # @STRENGTH：sort the current cipher list in order of encryption algorithm key length.

  location / {
    if ($ssl_client_verify = SUCCESS) {
      set $auth_basic off;
    }
    if ($ssl_client_verify != SUCCESS) {
      set $auth_basic "Restricted Content. Please provide Nifi Authentication:";
    }

    auth_basic $auth_basic;
    auth_basic_user_file /etc/nginx/nginx.htpasswd;

    proxy_pass    http://172.18.0.77:8181/; # actual container ip/port of nifi
    proxy_set_header   Host                 $host;
    proxy_set_header   X-Real-IP            $remote_addr;
    proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto    $scheme;
    proxy_set_header   X-Forwarded-User     $remote_user;
    proxy_set_header   Authorization        "";
    proxy_set_header   X-ProxyScheme        $scheme;
    proxy_set_header   X-ProxyHost          $hostname;
    proxy_set_header   X-ProxyPort          $server_port;
    proxy_set_header   X-ProxyContextPath   "/";
  }
}

我尝试为 X-ProxyHost 传递 nifi/host/nginx 的容器 ip，但没有给出无法与 nifi 通信"它立即旋转一段时间并最终给出相同的错误.这里需要修改什么?任何帮助将不胜感激.

I tried passing container ip of nifi/host/nginx for X-ProxyHost but instead of giving "Unable to communicate to nifi" immediately it spins for a while and eventually gives the same error. What needs to be modified here? Any help would be appreciated.

推荐答案

nginx 菜鸟来了！在对多个 ip/主机名组合进行大量摆弄之后，我能够通过以下配置更改来修复它.必须向 docker-compose 添加 nifi env 属性:

nginx noob here! After much fiddling with multiple ip/hostname combinations I was able to fix it with below config changes. Had to add nifi env properties to the docker-compose:

environment:
  - NIFI_REMOTE_INPUT_HOST=<private ip of nifi container e.g. 172.18.0.77>
  - NIFI_WEB_PROXY_CONTEXT_PATH=/
  - NIFI_WEB_HTTP_HOST=<private ip of nifi container>
  - NIFI_WEB_HTTP_PORT=8181

对于 nginx 配置:将 proxy_set_header 修改为localhost"；(因为 nginx 服务器需要将 proxyHost 定义为环回服务器):

And for nginx config: modified proxy_set_header to "localhost" (since nginx server needed proxyHost defined as loopback server):

proxy_set_header X-ProxyHost localhost;

希望这能帮助那些在同一条船上摸不着头脑的人:)

Hope this helps someone scratching their head who are in the same boat :)

这篇关于nginx 处理器后面的 docker 上的 Nifi 配置未打开的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！