Hello Emmanuel Might be nifi.web.proxy.host that needs to be configured?
nifi.web.proxy.host A comma separated list of allowed HTTP Host header values to consider when NiFi is running securely and will be receiving requests to a different host[:port] than it is bound to. For example, when running in a Docker container or behind a proxy (e.g. localhost:18443, proxyhost:443). By default, this value is blank meaning NiFi should only allow requests sent to the host[:port] that NiFi is bound to. See https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#web-properties -- Kind Regards Dries Van Autreve From: "QUEVILLON EMMANUEL - EXT-SAFRAN ENGINEERING SERVICES (SAFRAN)" <emmanuel.quevillon.e...@safrangroup.com> Reply to: "users@nifi.apache.org" <users@nifi.apache.org> Date: Wednesday, 5 May 2021 at 11:31 To: "users@nifi.apache.org" <users@nifi.apache.org> Subject: HTTPS host header restriction and VM in OpenStack Hi, We are trying to install and set Nifi on a VM in an OpenStack private cloud. The installation of Nifi on the VM is ok and running without problems when using HTTP as protocol. However, when we try to set HTTPS, then we encounter several problems. Let me explain how this is set (regarding network configuration) with OpenStack. When a VM is created and started in OpenStack, a private IP address is attributed to this VM, say 192.168.10.10. OpenStack is then able to also attribute some called floating IP address to this VM, which make the VM accessible from outside the cloud (like a public IP). This IP, say 1.2.3.4, is then reachable through a web browser, as http://1.2.3.4<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2F1.2.3.4%2F&data=04%7C01%7Cdries.vanautreve%40vlaanderen.be%7C0616d6e15746484a659208d90fa82ccc%7C0c0338a695614ee8b8d64e89cbd520a0%7C0%7C0%7C637558038683727127%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b1VX5fExFKKX5%2BvGDdlmzk%2FZD6fR92GArK2wYRcFTfw%3D&reserved=0>, thus this is how we can access our Nifi web interface using HTTP protocol. Here is a small representation of the translation MyComputer --- ask http://1.2.3.4<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2F1.2.3.4%2F&data=04%7C01%7Cdries.vanautreve%40vlaanderen.be%7C0616d6e15746484a659208d90fa82ccc%7C0c0338a695614ee8b8d64e89cbd520a0%7C0%7C0%7C637558038683727127%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=b1VX5fExFKKX5%2BvGDdlmzk%2FZD6fR92GArK2wYRcFTfw%3D&reserved=0> ------> OpenStack ----> NAT to VM interface ------> 192.168.10.10(eth0) ---> Nifi Due to this OpenStack Nat translation behavior, when we try to set up HTTPS mode, we cannot reach our nifi web interface. We are facing two problems: 1. If we set properties nifi.web.https.host to our public IP (1.2.3.4), Nifi fails to start with the following error : java.io.IOException: Failed to bind to /1.2.3.4:8443, which is somehow normal as the VM does not know its public IP (provided by OpenStack). 2. If we set properties nifi.web.https.host to 0.0.0.0, nifi starts ok, however, when we reach the interface, we’re facing the following error: System Error The request contained an invalid host header [1.2.3.4:8443] in the request [/nifi]. Check for request manipulation or third-party intercept. Valid host headers are [empty] or: * 127.0.0.1 * 127.0.0.1:8443 * localhost * localhost:8443 * 192.168.10.10 * 192.168.10.10:8443 * 0.0.0.0 * 0.0.0.0:8443 Did we misconfigured nifi? Is there a way to work around this situation? Thanks for your help or explanation Regards Emmanuel C2 - Restricted # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
