[ https://issues.apache.org/jira/browse/NIFI-5508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16580236#comment-16580236 ]
Andy LoPresto commented on NIFI-5508: ------------------------------------- Curtis, I am confused by your assertion that S2S does not work behind a reverse proxy. Koji made changes in [NIFI-4932|https://issues.apache.org/jira/browse/NIFI-4932] which were accepted in [PR 2510|https://github.com/apache/nifi/pull/2510] and released in Apache NiFi 1.7.0. He discusses that further [here|https://github.com/ijokarumawak/nifi-reverseproxy]. There is additional discussion of setting up Apache Knox (a reverse proxy) with NiFi [here|https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html]. Am I misunderstanding your position here? The S2S discovery process happens over HTTP regardless of the actual data transfer protocol selected ({{HTTP}}/{{RAW}}). When secured, all S2S communication and all cluster communication (request replication, etc.) requires mutual authentication over TLS as these are machine-to-machine communications. > Support disabling wantClientAuth when running behind a reverse proxy. > --------------------------------------------------------------------- > > Key: NIFI-5508 > URL: https://issues.apache.org/jira/browse/NIFI-5508 > Project: Apache NiFi > Issue Type: Bug > Components: Security > Affects Versions: 1.7.0, 1.7.1 > Environment: Reverse Proxy & trying to use other credential provider > when the reverse proxy provides a client certificate itself. > Reporter: Curtis W Ruck > Priority: Major > Labels: rever > Original Estimate: 1h > Remaining Estimate: 1h > > As discussed on mailing list. > JettyServer always calls either setNeedClientAuth(true) or > setWantClientAuth(true). > When used with a reverse proxy that has a client certificate, it is > impossible currently to use other credential providers as the X509 > authentication takes precedence. > Adding the ability to disable wantClientAuth via a NiFi property would enable > the ability to leverage existing SSO solutions behind a reverse proxy. -- This message was sent by Atlassian JIRA (v7.6.3#76005)