[jira] [Commented] (NIFI-5508) Support disabling wantClientAuth when running behind a reverse proxy.

Tue, 14 Aug 2018 11:32:08 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16580236#comment-16580236
 ] 

Andy LoPresto commented on NIFI-5508:
-------------------------------------

Curtis, I am confused by your assertion that S2S does not work behind a reverse 
proxy. Koji made changes in 
[NIFI-4932|https://issues.apache.org/jira/browse/NIFI-4932] which were accepted 
in [PR 2510|https://github.com/apache/nifi/pull/2510] and released in Apache 
NiFi 1.7.0. He discusses that further 
[here|https://github.com/ijokarumawak/nifi-reverseproxy]. There is additional 
discussion of setting up Apache Knox (a reverse proxy) with NiFi 
[here|https://risdenk.github.io/2018/03/18/apache-knox-proxying-apache-nifi.html].
 Am I misunderstanding your position here?

The S2S discovery process happens over HTTP regardless of the actual data 
transfer protocol selected ({{HTTP}}/{{RAW}}). When secured, all S2S 
communication and all cluster communication (request replication, etc.) 
requires mutual authentication over TLS as these are machine-to-machine 
communications. 

> Support disabling wantClientAuth when running behind a reverse proxy.
> ---------------------------------------------------------------------
>
>                 Key: NIFI-5508
>                 URL: https://issues.apache.org/jira/browse/NIFI-5508
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.7.0, 1.7.1
>         Environment: Reverse Proxy & trying to use other credential provider 
> when the reverse proxy provides a client certificate itself.
>            Reporter: Curtis W Ruck
>            Priority: Major
>              Labels: rever
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> As discussed on mailing list.
> JettyServer always calls either setNeedClientAuth(true) or 
> setWantClientAuth(true).
> When used with a reverse proxy that has a client certificate, it is 
> impossible currently to use other credential providers as the X509 
> authentication takes precedence.
> Adding the ability to disable wantClientAuth via a NiFi property would enable 
> the ability to leverage existing SSO solutions behind a reverse proxy.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to