From eb919a5e7883f9300af189c17e18ce7c24c34879 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Wed, 19 Jul 2017 11:34:08 -0400 Subject: [PATCH 1/2] NIFI-4206: - Updating admin guide to include instructions for running NiFi behind a proxy. --- .../main/asciidoc/administration-guide.adoc | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index ef17cff92528..82b694fa1007 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -2442,6 +2442,39 @@ A complete example of configuring the HTTP service could look like the following .... +[[proxy_configuration]] +Proxy Configuration +------------------- +​When running Apache NiFi behind a proxy there are a couple of key items to follow during deployment. + +* NiFi is comprised of a number of web applications (web ui, web api, documentation, custom ui's, data viewers, etc). So the mapping needs to be configured for the root path. That way all context +paths are passed through accordingly. For instance, if only the /nifi context path was mapped, the custom ui for UpdateAttribute will not work since it's available at /update-attribute-ui-. + +* NiFi's REST API will generate URI's for each component on the graph. Since requests are coming through a proxy, certain elements of the URI's being generated need to be overridden. Without +overriding the users will be able to view the dataflow on the canvas but will be unable to in modify existing components. Requests will be attempting to call back directly to NiFi, not through the +proxy. The elements of the URI can be overridden by adding the following HTTP headers when the proxy generates the HTTP request to the NiFi instance: + +.... +X-ProxyScheme - the scheme to use to connect to the proxy +X-ProxyHost - the host of the proxy +X-ProxyPort - the port the proxy is listening on +X-ProxyContextPath - the path configured to map to the NiFi instance +.... + +* If NiFi is running securely, any proxy needs to be authorized to proxy user requests. These can be configured in the NiFi UI through the Global Menu. Once these permissions are in place proxies +can begin proxying user requests. The end user identity must be relayed in a HTTP header. For example, if the end user sent a request to the proxy, the proxy must authenticate the user. Following +this the proxy can send the request to NiFi. In this request an HTTP header should be added as follows. + +.... +X-ProxiedEntitiesChain: +.... + +If the proxy is configured to send to another proxy, the request to NiFi from the second proxy should contain a header as follows. + +.... +X-ProxiedEntitiesChain: +.... + [[kerberos_service]] Kerberos Service ---------------- From 7a91b98b190fbe7dc03ff3f18951cc72d5e39886 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Thu, 20 Jul 2017 09:44:06 -0400 Subject: [PATCH 2/2] NIFI-4206: - Including a brief example proxy configuration for NiFi specific properties. --- .../main/asciidoc/administration-guide.adoc | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/nifi-docs/src/main/asciidoc/administration-guide.adoc b/nifi-docs/src/main/asciidoc/administration-guide.adoc index 82b694fa1007..c1d067318f3a 100644 --- a/nifi-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-docs/src/main/asciidoc/administration-guide.adoc @@ -2475,6 +2475,30 @@ If the proxy is configured to send to another proxy, the request to NiFi from th X-ProxiedEntitiesChain: .... +An example Apache proxy configuration that sets the required properties may look like the follow. Complete proxy configuration is outside of the scope of this document. Please refer the +documentation of the proxy for guidance for your deployment environment and use case. + +.... +... + + ... + SSLEngine On + SSLCertificateFile /path/to/proxy/certificate.crt + SSLCertificateKeyFile /path/to/proxy/key.key + SSLCACertificateFile /path/to/ca/certificate.crt + SSLVerifyClient require + RequestHeader add X-ProxyScheme "https" + RequestHeader add X-ProxyHost "proxy-host" + RequestHeader add X-ProxyPort "443" + RequestHeader add X-ProxyContextPath "/my-nifi" + RequestHeader add X-ProxiedEntitiesChain "<%{SSL_CLIENT_S_DN}s>" + ProxyPass https://nifi-host:8443 + ProxyPassReverse https://nifi-host:8443 + ... + +... +.... + [[kerberos_service]] Kerberos Service ----------------