subject:"RE\: Nifi and Registry behind Citrix ADC."

Re: Nifi and Registry behind Citrix ADC.

2021-10-20 Thread Bryan Bende

Yes, you can think of it the same as how NiFi -> NiFi Registry works...

User accesses NiFi and authenticates in some way, could be client
cert, they then perform an action that calls registry. NiFi makes a
2-way TLS connection to registry using it's own server cert and sends
the end user identity to NiFi Registry in the X-ProxiedEntitiesChain
header.

NiFi Registry then sees the client certificates NiFi server, sees that
there is X-ProxiedEntities, authorizes that NiFi service is allowed to
proxy (as well as any other identities in the chain besides the top
entry for the user), and if so then proceeds to authorize the rest of
the request as the end user identity.

On Wed, Oct 20, 2021 at 10:10 AM Shawn Weeks  wrote:
>
> I didn't know that was supported. Does this require the Proxy to do 2-way ssl 
> back to NiFi?
>
> Thanks
> Shawn
>
> -Original Message-
> From: Bryan Bende 
> Sent: Wednesday, October 20, 2021 9:02 AM
> To: users@nifi.apache.org
> Subject: Re: Nifi and Registry behind Citrix ADC.
>
> If the load balancer can pass the client cert DN in the 
> X-ProxiedEntitiesChain header, then it doesn't have to be a straight pass 
> through. The load balancer identity would need to be authorized as a proxy in 
> NiFi or NiFi Registry.
>
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration
>
> On Tue, Oct 19, 2021 at 8:43 PM Shawn Weeks  wrote:
> >
> > If you’re authenticating with 2-way ssl you’ll have to setup your load
> > balancer to directly pass the TCP traffic through. Otherwise NiFi
> > doesn’t see the users cert. NiFi doesn’t currently support getting the
> > SSL Cert name from an HTTP Header like some other systems do. Usually
> > if your using an HTTP Load Balancer you’d authenticate with SSO(SAML
> > or OIDC) or LDAP(Username/Password)
> >
> >
> >
> > Thanks
> >
> > Shawn
> >
> >
> >
> > From: Jens M. Kofoed 
> > Sent: Tuesday, October 19, 2021 1:16 AM
> > To: users@nifi.apache.org
> > Subject: Re: Nifi and Registry behind Citrix ADC.
> >
> >
> >
> > Only if you want other ways to authenticate users. I have setup our NIFI 
> > systems to talk with our MS AD via ldaps, and defined different AD groups 
> > which in nifi has different policy rules. Some people can manage every 
> > thing, others can only start/stop specific processors in specific process 
> > groups.
> >
> > Using personal certificates is no problem, I have some admins which also 
> > use there personal certificates. But with certificates you would have to 
> > add and manage users manually in NIFI. Users can of course being added to 
> > internal groups in NIFI and policy configured to groups.
> >
> >
> >
> > reagrd
> >
> > Jens
> >
> >
> >
> > Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan 
> > :
> >
> > We are currently authenticating with personal certificates, should we 
> > change that then?
> >
> >
> >
> > Stefan Jakobsson
> >
> >
> > Systems Manager  |  Scania IT, IKCA |  Scania CV AB
> >
> > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
> >
> > Forskargatan 20, SE-151 87 Södertälje, Sweden
> >
> > stefan.jakobs...@scania.com
> >
> >
> >
> > From: Shawn Weeks 
> > Sent: den 18 oktober 2021 21:35
> > To: users@nifi.apache.org
> > Subject: RE: Nifi and Registry behind Citrix ADC.
> >
> >
> >
> > Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to 
> > use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll 
> > also need to make sure that your proxy is passing the various HTTP headers 
> > through to NiFi and that NiFi is expecting traffic from a proxy. If you 
> > look in the nifi-user.log and nifi-app.log there might be some hints about 
> > what it didn’t like.
> >
> >
> >
> > Thanks
> >
> > Shawn
> >
> >
> >
> > From: Jakobsson Stefan 
> > Sent: Monday, October 18, 2021 2:26 PM
> > To: users@nifi.apache.org
> > Subject: RE: Nifi and Registry behind Citrix ADC.
> >
> >
> >
> > Ahh, no ADC as in applicationdelivery and loadbalancing 😊
> >
> >
> >
> > Stefan Jakobsson
> >
> >
> > Systems Manager  |  Scania IT, IKCA |  Scania CV AB
> >
> > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
> >
> > Forskargatan 20, SE-151 87 Södertälje, Sweden
> >
> > stefan.jakobs...@scania.com
> >
> >
> >
&g

RE: Nifi and Registry behind Citrix ADC.

2021-10-20 Thread Shawn Weeks

I didn't know that was supported. Does this require the Proxy to do 2-way ssl 
back to NiFi?

Thanks
Shawn

-Original Message-
From: Bryan Bende  
Sent: Wednesday, October 20, 2021 9:02 AM
To: users@nifi.apache.org
Subject: Re: Nifi and Registry behind Citrix ADC.

If the load balancer can pass the client cert DN in the X-ProxiedEntitiesChain 
header, then it doesn't have to be a straight pass through. The load balancer 
identity would need to be authorized as a proxy in NiFi or NiFi Registry.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration

On Tue, Oct 19, 2021 at 8:43 PM Shawn Weeks  wrote:
>
> If you’re authenticating with 2-way ssl you’ll have to setup your load 
> balancer to directly pass the TCP traffic through. Otherwise NiFi 
> doesn’t see the users cert. NiFi doesn’t currently support getting the 
> SSL Cert name from an HTTP Header like some other systems do. Usually 
> if your using an HTTP Load Balancer you’d authenticate with SSO(SAML 
> or OIDC) or LDAP(Username/Password)
>
>
>
> Thanks
>
> Shawn
>
>
>
> From: Jens M. Kofoed 
> Sent: Tuesday, October 19, 2021 1:16 AM
> To: users@nifi.apache.org
> Subject: Re: Nifi and Registry behind Citrix ADC.
>
>
>
> Only if you want other ways to authenticate users. I have setup our NIFI 
> systems to talk with our MS AD via ldaps, and defined different AD groups 
> which in nifi has different policy rules. Some people can manage every thing, 
> others can only start/stop specific processors in specific process groups.
>
> Using personal certificates is no problem, I have some admins which also use 
> there personal certificates. But with certificates you would have to add and 
> manage users manually in NIFI. Users can of course being added to internal 
> groups in NIFI and policy configured to groups.
>
>
>
> reagrd
>
> Jens
>
>
>
> Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan 
> :
>
> We are currently authenticating with personal certificates, should we change 
> that then?
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> From: Shawn Weeks 
> Sent: den 18 oktober 2021 21:35
> To: users@nifi.apache.org
> Subject: RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to 
> use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll 
> also need to make sure that your proxy is passing the various HTTP headers 
> through to NiFi and that NiFi is expecting traffic from a proxy. If you look 
> in the nifi-user.log and nifi-app.log there might be some hints about what it 
> didn’t like.
>
>
>
> Thanks
>
> Shawn
>
>
>
> From: Jakobsson Stefan 
> Sent: Monday, October 18, 2021 2:26 PM
> To: users@nifi.apache.org
> Subject: RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Ahh, no ADC as in applicationdelivery and loadbalancing 😊
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> From: Lehel Boér 
> Sent: den 18 oktober 2021 15:03
> To: users@nifi.apache.org
> Subject: Re: Nifi and Registry behind Citrix ADC.
>
>
>
> Hi Stefan,
>
>
>
> Please disregard my prior response. The name mislead me, I discovered ADC is 
> not the same as Active Directory.
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Lehel Boér  ezt írta (időpont: 2021. okt. 18., H, 
> 14:54):
>
> Hi Stefan,
>
>
>
> Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
> links.
>
>
>
> - 
> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/
> content/ldap_login_identity_provider.html
>
> - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Jakobsson Stefan  ezt írta (időpont: 2021. okt. 
> 18., H, 13:02):
>
> Hello,
>
>
>
> I have some issues trying to run Nifi and Nifi-registry behind an ADC. 
> Reason for this is that we need Nifi be accessible from aws onto our 
> onprem nifi installation due demands from our IT sec department
>
>
>
> Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
> x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL 
> setup in the ADC with 9443 redirected to the nifiservers IP we get an error 
> saying:
>
>
>
> This page isn’t working
>
> nifiprod.oururl.com didn’t send any data.
>
> ERR_EMPTY_RESPONSE
>
>
>
> Anyone has any ideas what I should start looking at? I set the https.host to 
> 0.0.0.0 in nifi-registry.conf.
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>

Re: Nifi and Registry behind Citrix ADC.

2021-10-20 Thread Bryan Bende

If the load balancer can pass the client cert DN in the
X-ProxiedEntitiesChain header, then it doesn't have to be a straight
pass through. The load balancer identity would need to be authorized
as a proxy in NiFi or NiFi Registry.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration

On Tue, Oct 19, 2021 at 8:43 PM Shawn Weeks  wrote:
>
> If you’re authenticating with 2-way ssl you’ll have to setup your load 
> balancer to directly pass the TCP traffic through. Otherwise NiFi doesn’t see 
> the users cert. NiFi doesn’t currently support getting the SSL Cert name from 
> an HTTP Header like some other systems do. Usually if your using an HTTP Load 
> Balancer you’d authenticate with SSO(SAML or OIDC) or LDAP(Username/Password)
>
>
>
> Thanks
>
> Shawn
>
>
>
> From: Jens M. Kofoed 
> Sent: Tuesday, October 19, 2021 1:16 AM
> To: users@nifi.apache.org
> Subject: Re: Nifi and Registry behind Citrix ADC.
>
>
>
> Only if you want other ways to authenticate users. I have setup our NIFI 
> systems to talk with our MS AD via ldaps, and defined different AD groups 
> which in nifi has different policy rules. Some people can manage every thing, 
> others can only start/stop specific processors in specific process groups.
>
> Using personal certificates is no problem, I have some admins which also use 
> there personal certificates. But with certificates you would have to add and 
> manage users manually in NIFI. Users can of course being added to internal 
> groups in NIFI and policy configured to groups.
>
>
>
> reagrd
>
> Jens
>
>
>
> Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan 
> :
>
> We are currently authenticating with personal certificates, should we change 
> that then?
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> From: Shawn Weeks 
> Sent: den 18 oktober 2021 21:35
> To: users@nifi.apache.org
> Subject: RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to 
> use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll 
> also need to make sure that your proxy is passing the various HTTP headers 
> through to NiFi and that NiFi is expecting traffic from a proxy. If you look 
> in the nifi-user.log and nifi-app.log there might be some hints about what it 
> didn’t like.
>
>
>
> Thanks
>
> Shawn
>
>
>
> From: Jakobsson Stefan 
> Sent: Monday, October 18, 2021 2:26 PM
> To: users@nifi.apache.org
> Subject: RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Ahh, no ADC as in applicationdelivery and loadbalancing 😊
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> From: Lehel Boér 
> Sent: den 18 oktober 2021 15:03
> To: users@nifi.apache.org
> Subject: Re: Nifi and Registry behind Citrix ADC.
>
>
>
> Hi Stefan,
>
>
>
> Please disregard my prior response. The name mislead me, I discovered ADC is 
> not the same as Active Directory.
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Lehel Boér  ezt írta (időpont: 2021. okt. 18., H, 
> 14:54):
>
> Hi Stefan,
>
>
>
> Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
> links.
>
>
>
> - 
> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
>
> - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Jakobsson Stefan  ezt írta (időpont: 2021. okt. 
> 18., H, 13:02):
>
> Hello,
>
>
>
> I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
> for this is that we need Nifi be accessible from aws onto our onprem nifi 
> installation due demands from our IT sec department
>
>
>
> Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
> x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL 
> setup in the ADC with 9443 redirected to the nifiservers IP we get an error 
> saying:
>
>
>
> This page isn’t working
>
> nifiprod.oururl.com didn’t send any data.
>
> ERR_EMPTY_RESPONSE
>
>
>
> Anyone has any ideas what I should start looking at? I set the https.host to 
> 0.0.0.0 in nifi-registry.conf.
>
>
>
> Stefan Jakobsson
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>

RE: Nifi and Registry behind Citrix ADC.

2021-10-19 Thread Shawn Weeks

If you’re authenticating with 2-way ssl you’ll have to setup your load balancer 
to directly pass the TCP traffic through. Otherwise NiFi doesn’t see the users 
cert. NiFi doesn’t currently support getting the SSL Cert name from an HTTP 
Header like some other systems do. Usually if your using an HTTP Load Balancer 
you’d authenticate with SSO(SAML or OIDC) or LDAP(Username/Password)

Thanks
Shawn

From: Jens M. Kofoed 
Sent: Tuesday, October 19, 2021 1:16 AM
To: users@nifi.apache.org
Subject: Re: Nifi and Registry behind Citrix ADC.

Only if you want other ways to authenticate users. I have setup our NIFI 
systems to talk with our MS AD via ldaps, and defined different AD groups which 
in nifi has different policy rules. Some people can manage every thing, others 
can only start/stop specific processors in specific process groups.
Using personal certificates is no problem, I have some admins which also use 
there personal certificates. But with certificates you would have to add and 
manage users manually in NIFI. Users can of course being added to internal 
groups in NIFI and policy configured to groups.

reagrd
Jens

Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>>:
We are currently authenticating with personal certificates, should we change 
that then?

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Shawn Weeks mailto:swe...@weeksconsulting.us>>
Sent: den 18 oktober 2021 21:35
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: RE: Nifi and Registry behind Citrix ADC.

Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to use 
an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll also 
need to make sure that your proxy is passing the various HTTP headers through 
to NiFi and that NiFi is expecting traffic from a proxy. If you look in the 
nifi-user.log and nifi-app.log there might be some hints about what it didn’t 
like.

Thanks
Shawn

From: Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>>
Sent: Monday, October 18, 2021 2:26 PM
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: RE: Nifi and Registry behind Citrix ADC.

Ahh, no ADC as in applicationdelivery and loadbalancing 😊

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Lehel Boér mailto:lehel.b...@gmail.com>>
Sent: den 18 oktober 2021 15:03
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: Re: Nifi and Registry behind Citrix ADC.

Hi Stefan,

Please disregard my prior response. The name mislead me, I discovered ADC is 
not the same as Active Directory.

Kind Regards,
Lehel Boér

Lehel Boér mailto:lehel.b...@gmail.com>> ezt írta 
(időpont: 2021. okt. 18., H, 14:54):
Hi Stefan,

Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
links.

- 
https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
- https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap

Kind Regards,
Lehel Boér

Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>> ezt írta 
(időpont: 2021. okt. 18., H, 13:02):
Hello,

I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
for this is that we need Nifi be accessible from aws onto our onprem nifi 
installation due demands from our IT sec department

Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup 
in the ADC with 9443 redirected to the nifiservers IP we get an error saying:

This page isn’t working
nifiprod.oururl.com<http://nifiprod.oururl.com> didn’t send any data.
ERR_EMPTY_RESPONSE

Anyone has any ideas what I should start looking at? I set the https.host to 
0.0.0.0 in nifi-registry.conf.

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

Re: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Jens M. Kofoed

Only if you want other ways to authenticate users. I have setup our NIFI
systems to talk with our MS AD via ldaps, and defined different AD groups
which in nifi has different policy rules. Some people can manage every
thing, others can only start/stop specific processors in specific process
groups.
Using personal certificates is no problem, I have some admins which also
use there personal certificates. But with certificates you would have to
add and manage users manually in NIFI. Users can of course being added to
internal groups in NIFI and policy configured to groups.

reagrd
Jens

Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan <
stefan.jakobs...@scania.com>:

> We are currently authenticating with personal certificates, should we
> change that then?
>
>
>
> *Stefan Jakobsson*
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> *From:* Shawn Weeks 
> *Sent:* den 18 oktober 2021 21:35
> *To:* users@nifi.apache.org
> *Subject:* RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi
> to use an alternative authentication method like SAML, LDAP, OIDC, etc.
> You’ll also need to make sure that your proxy is passing the various HTTP
> headers through to NiFi and that NiFi is expecting traffic from a proxy. If
> you look in the nifi-user.log and nifi-app.log there might be some hints
> about what it didn’t like.
>
>
>
> Thanks
>
> Shawn
>
>
>
> *From:* Jakobsson Stefan 
> *Sent:* Monday, October 18, 2021 2:26 PM
> *To:* users@nifi.apache.org
> *Subject:* RE: Nifi and Registry behind Citrix ADC.
>
>
>
> Ahh, no ADC as in applicationdelivery and loadbalancing 😊
>
>
>
> *Stefan Jakobsson*
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
> *From:* Lehel Boér 
> *Sent:* den 18 oktober 2021 15:03
> *To:* users@nifi.apache.org
> *Subject:* Re: Nifi and Registry behind Citrix ADC.
>
>
>
> Hi Stefan,
>
>
>
> Please disregard my prior response. The name mislead me, I discovered ADC
> is not the same as Active Directory.
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Lehel Boér  ezt írta (időpont: 2021. okt. 18., H,
> 14:54):
>
> Hi Stefan,
>
>
>
> Have you tried setting up NiFi with an LDAP provider? Here are a few
> useful links.
>
>
>
> -
> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
>
> - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap
>
>
>
> Kind Regards,
>
> Lehel Boér
>
>
>
> Jakobsson Stefan  ezt írta (időpont: 2021.
> okt. 18., H, 13:02):
>
> Hello,
>
>
>
> I have some issues trying to run Nifi and Nifi-registry behind an ADC.
> Reason for this is that we need Nifi be accessible from aws onto our onprem
> nifi installation due demands from our IT sec department
>
>
>
> Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e.
> x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL
> setup in the ADC with 9443 redirected to the nifiservers IP we get an error
> saying:
>
>
>
> This page isn’t working
>
> *nifiprod.oururl.com <http://nifiprod.oururl.com>* didn’t send any data.
>
> ERR_EMPTY_RESPONSE
>
>
>
> Anyone has any ideas what I should start looking at? I set the https.host
> to 0.0.0.0 in nifi-registry.conf.
>
>
>
> *Stefan Jakobsson*
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>
>

RE: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Jakobsson Stefan

We are currently authenticating with personal certificates, should we change 
that then?

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Shawn Weeks 
Sent: den 18 oktober 2021 21:35
To: users@nifi.apache.org
Subject: RE: Nifi and Registry behind Citrix ADC.

Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to use 
an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll also 
need to make sure that your proxy is passing the various HTTP headers through 
to NiFi and that NiFi is expecting traffic from a proxy. If you look in the 
nifi-user.log and nifi-app.log there might be some hints about what it didn’t 
like.

Thanks
Shawn

From: Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>>
Sent: Monday, October 18, 2021 2:26 PM
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: RE: Nifi and Registry behind Citrix ADC.

Ahh, no ADC as in applicationdelivery and loadbalancing 😊

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Lehel Boér mailto:lehel.b...@gmail.com>>
Sent: den 18 oktober 2021 15:03
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: Re: Nifi and Registry behind Citrix ADC.

Hi Stefan,

Please disregard my prior response. The name mislead me, I discovered ADC is 
not the same as Active Directory.

Kind Regards,
Lehel Boér

Lehel Boér mailto:lehel.b...@gmail.com>> ezt írta 
(időpont: 2021. okt. 18., H, 14:54):
Hi Stefan,

Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
links.

- 
https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
- https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap

Kind Regards,
Lehel Boér

Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>> ezt írta 
(időpont: 2021. okt. 18., H, 13:02):
Hello,

I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
for this is that we need Nifi be accessible from aws onto our onprem nifi 
installation due demands from our IT sec department

Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup 
in the ADC with 9443 redirected to the nifiservers IP we get an error saying:

This page isn’t working
nifiprod.oururl.com<http://nifiprod.oururl.com> didn’t send any data.
ERR_EMPTY_RESPONSE

Anyone has any ideas what I should start looking at? I set the https.host to 
0.0.0.0 in nifi-registry.conf.

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

Re: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Bengt Håård

 Hi,
I'm not sure what  ADC does, but if it contains a proxy then I recommend you to 
look here:
NiFi System Administrator’s Guide

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
NiFi System Administrator’s Guide

Apache NiFi Team


 |

 |

 |



Kind Regards,Bengt


Den måndag 18 oktober 2021 13:02:20 CEST, Jakobsson Stefan 
 skrev:  
 
  
Hello,
 
  
 
I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
for this is that we need Nifi be accessible from aws onto our onprem nifi 
installation due demands from our IT sec department
 
  
 
Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup 
in the ADC with 9443 redirected to the nifiservers IP we get an error saying:
 
  
 
This page isn’t working
 
nifiprod.oururl.com didn’t send any data.
 
ERR_EMPTY_RESPONSE
 
  
 
Anyone has any ideas what I should start looking at? I set the https.host to 
0.0.0.0 in nifi-registry.conf.
 
  
 
Stefan Jakobsson
 

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
 
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
 
Forskargatan 20, SE-151 87 Södertälje, Sweden
 
stefan.jakobs...@scania.com

RE: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Shawn Weeks

Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to use 
an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll also 
need to make sure that your proxy is passing the various HTTP headers through 
to NiFi and that NiFi is expecting traffic from a proxy. If you look in the 
nifi-user.log and nifi-app.log there might be some hints about what it didn’t 
like.

Thanks
Shawn

From: Jakobsson Stefan 
Sent: Monday, October 18, 2021 2:26 PM
To: users@nifi.apache.org
Subject: RE: Nifi and Registry behind Citrix ADC.

Ahh, no ADC as in applicationdelivery and loadbalancing 😊

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Lehel Boér mailto:lehel.b...@gmail.com>>
Sent: den 18 oktober 2021 15:03
To: users@nifi.apache.org<mailto:users@nifi.apache.org>
Subject: Re: Nifi and Registry behind Citrix ADC.

Hi Stefan,

Please disregard my prior response. The name mislead me, I discovered ADC is 
not the same as Active Directory.

Kind Regards,
Lehel Boér

Lehel Boér mailto:lehel.b...@gmail.com>> ezt írta 
(időpont: 2021. okt. 18., H, 14:54):
Hi Stefan,

Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
links.

- 
https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
- https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap

Kind Regards,
Lehel Boér

Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>> ezt írta 
(időpont: 2021. okt. 18., H, 13:02):
Hello,

I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
for this is that we need Nifi be accessible from aws onto our onprem nifi 
installation due demands from our IT sec department

Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup 
in the ADC with 9443 redirected to the nifiservers IP we get an error saying:

This page isn’t working
nifiprod.oururl.com<http://nifiprod.oururl.com> didn’t send any data.
ERR_EMPTY_RESPONSE

Anyone has any ideas what I should start looking at? I set the https.host to 
0.0.0.0 in nifi-registry.conf.

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

RE: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Jakobsson Stefan

Ahh, no ADC as in applicationdelivery and loadbalancing 😊

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

From: Lehel Boér 
Sent: den 18 oktober 2021 15:03
To: users@nifi.apache.org
Subject: Re: Nifi and Registry behind Citrix ADC.

Hi Stefan,

Please disregard my prior response. The name mislead me, I discovered ADC is 
not the same as Active Directory.

Kind Regards,
Lehel Boér

Lehel Boér mailto:lehel.b...@gmail.com>> ezt írta 
(időpont: 2021. okt. 18., H, 14:54):
Hi Stefan,

Have you tried setting up NiFi with an LDAP provider? Here are a few useful 
links.

- 
https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
- https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap

Kind Regards,
Lehel Boér

Jakobsson Stefan 
mailto:stefan.jakobs...@scania.com>> ezt írta 
(időpont: 2021. okt. 18., H, 13:02):
Hello,

I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason 
for this is that we need Nifi be accessible from aws onto our onprem nifi 
installation due demands from our IT sec department

Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. 
x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL setup 
in the ADC with 9443 redirected to the nifiservers IP we get an error saying:

This page isn’t working
nifiprod.oururl.com<http://nifiprod.oururl.com> didn’t send any data.
ERR_EMPTY_RESPONSE

Anyone has any ideas what I should start looking at? I set the https.host to 
0.0.0.0 in nifi-registry.conf.

Stefan Jakobsson

Systems Manager  |  Scania IT, IKCA |  Scania CV AB
Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
Forskargatan 20, SE-151 87 Södertälje, Sweden
stefan.jakobs...@scania.com<mailto:stefan.jakobs...@scania.com>

Re: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Lehel Boér

Hi Stefan,

Please disregard my prior response. The name mislead me, I discovered ADC
is not the same as Active Directory.

Kind Regards,
Lehel Boér

Lehel Boér  ezt írta (időpont: 2021. okt. 18., H,
14:54):

> Hi Stefan,
>
> Have you tried setting up NiFi with an LDAP provider? Here are a few
> useful links.
>
> -
> https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
> - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap
>
> Kind Regards,
> Lehel Boér
>
> Jakobsson Stefan  ezt írta (időpont: 2021.
> okt. 18., H, 13:02):
>
>> Hello,
>>
>>
>>
>> I have some issues trying to run Nifi and Nifi-registry behind an ADC.
>> Reason for this is that we need Nifi be accessible from aws onto our onprem
>> nifi installation due demands from our IT sec department
>>
>>
>>
>> Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e.
>> x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL
>> setup in the ADC with 9443 redirected to the nifiservers IP we get an error
>> saying:
>>
>>
>>
>> This page isn’t working
>>
>> *nifiprod.oururl.com * didn’t send any data.
>>
>> ERR_EMPTY_RESPONSE
>>
>>
>>
>> Anyone has any ideas what I should start looking at? I set the https.host
>> to 0.0.0.0 in nifi-registry.conf.
>>
>>
>>
>> *Stefan Jakobsson*
>>
>>
>> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>>
>> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>>
>> Forskargatan 20, SE-151 87 Södertälje, Sweden
>>
>> stefan.jakobs...@scania.com
>>
>>
>>
>

Re: Nifi and Registry behind Citrix ADC.

2021-10-18 Thread Lehel Boér

Hi Stefan,

Have you tried setting up NiFi with an LDAP provider? Here are a few useful
links.

-
https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html
- https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap

Kind Regards,
Lehel Boér

Jakobsson Stefan  ezt írta (időpont: 2021.
okt. 18., H, 13:02):

> Hello,
>
>
>
> I have some issues trying to run Nifi and Nifi-registry behind an ADC.
> Reason for this is that we need Nifi be accessible from aws onto our onprem
> nifi installation due demands from our IT sec department
>
>
>
> Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e.
> x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL
> setup in the ADC with 9443 redirected to the nifiservers IP we get an error
> saying:
>
>
>
> This page isn’t working
>
> *nifiprod.oururl.com * didn’t send any data.
>
> ERR_EMPTY_RESPONSE
>
>
>
> Anyone has any ideas what I should start looking at? I set the https.host
> to 0.0.0.0 in nifi-registry.conf.
>
>
>
> *Stefan Jakobsson*
>
>
> Systems Manager  |  Scania IT, IKCA |  Scania CV AB
>
> Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76
>
> Forskargatan 20, SE-151 87 Södertälje, Sweden
>
> stefan.jakobs...@scania.com
>
>
>

Re: Nifi and Registry behind Citrix ADC.

RE: Nifi and Registry behind Citrix ADC.

Re: Nifi and Registry behind Citrix ADC.

RE: Nifi and Registry behind Citrix ADC.

Re: Nifi and Registry behind Citrix ADC.

RE: Nifi and Registry behind Citrix ADC.

Re: Nifi and Registry behind Citrix ADC.

RE: Nifi and Registry behind Citrix ADC.

RE: Nifi and Registry behind Citrix ADC.

Re: Nifi and Registry behind Citrix ADC.

Re: Nifi and Registry behind Citrix ADC.

11 matches

Site Navigation

Mail list logo

Footer information