nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wayna Runa <waynar...@gmail.com>
Subject NiFi 1.1.1 behind Apache HTTPd Proxy
Date Mon, 16 Jan 2017 13:41:55 GMT
Hi there!

I've configured Nifi 1.1.1 *Standalone* with Kerberos (FreeIPA) to do AuthN
and AuthZ. Seems everything is OK because:

1.- Initial admin login through Kerberos works.
2.- SSL enabled: Nifi asks for User Cert, just cancel and browser is
redirected to Nifi Login Page where I can introduce a Kerberos user. If I
choose a valid User Cert, browser is redirected to a Nifi authorized canvas.
3.- I can add more users (by using Kerberos configuration) through Nifi UI

Now, I have installed a Apache HTTPd Proxy in front of Nifi by using this
config:

Listen 443 https
....
<VirtualHost _default_:443 >
...
<Location "/nifi">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi
ProxyPassReverse https://my-nifi-standalone:8443/nifi
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>

<Location "/nifi-api">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi-api"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi-api
ProxyPassReverse https://my-nifi-standalone:8443/nifi-api
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>

<Location "/nifi-docs">
Header always unset Strict-Transport-Security
RequestHeader add X-ProxyScheme "https"
RequestHeader add X-ProxyHost "my-proxy"
RequestHeader add X-ProxyPort "443"
RequestHeader add X-ProxyContextPath "/nifi-docs"
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "FooBar"
ProxyPass https://my-nifi-standalone:8443/nifi-docs
ProxyPassReverse https://my-nifi-standalone:8443/nifi-docs
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Location>
<VirtualHost>

Then, when go to https://my-proxy-nifi/nifi and choose the same valid User
Cert, I get a Nifi error page with this message:

Unable to check Access Status
Unable to validate the access token


In Nifi server (nifi-user.log) error log is:

INFO [NiFi Web Server-17] o.a.n.w.a.c.IllegalStateExceptionMapper
java.lang.IllegalStateException: Kerberos ticket login not supported by
this NiFi.. Returning Conflict response.
INFO [NiFi Web Server-17] o.a.n.w.a.c.AccessDeniedExceptionMapper anonymous
does not have permission to access the requested resource. Returning
Unauthorized response.
INFO [NiFi Web Server-17] o.a.nifi.web.security.jwt.JwtService There was an
error validating the JWT
io.jasonwebtoken.JwtException: Unable to validate the access token.
....
Caused by: io.jasonwebtoken.MalformedJwtException: JWT strings must contain
exactly 2 period characters. Found: 0
....


And in the Browser I can see this error through Firefox Developer Plugin:

GET https://my-proxy-nifi/nifi-api/flow/current-user
Status code: 401 Unauthorized


I've used this thread to configure the Apache HTTPd Proxy.
https://mail-archives.apache.org/mod_mbox/nifi-dev/201509.mbox/%3CCAFddr26dJFm4droVjVPOm-swUn0aR-=_VPQPxOiXa1mO5mJwYg@mail.gmail.com%3E

Any help is welcome !!.

Regards.

- wr

Mime
View raw message