If the load balancer can pass the client cert DN in the X-ProxiedEntitiesChain header, then it doesn't have to be a straight pass through. The load balancer identity would need to be authorized as a proxy in NiFi or NiFi Registry.
https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#proxy_configuration On Tue, Oct 19, 2021 at 8:43 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > > If you’re authenticating with 2-way ssl you’ll have to setup your load > balancer to directly pass the TCP traffic through. Otherwise NiFi doesn’t see > the users cert. NiFi doesn’t currently support getting the SSL Cert name from > an HTTP Header like some other systems do. Usually if your using an HTTP Load > Balancer you’d authenticate with SSO(SAML or OIDC) or LDAP(Username/Password) > > > > Thanks > > Shawn > > > > From: Jens M. Kofoed <jmkofoed....@gmail.com> > Sent: Tuesday, October 19, 2021 1:16 AM > To: users@nifi.apache.org > Subject: Re: Nifi and Registry behind Citrix ADC. > > > > Only if you want other ways to authenticate users. I have setup our NIFI > systems to talk with our MS AD via ldaps, and defined different AD groups > which in nifi has different policy rules. Some people can manage every thing, > others can only start/stop specific processors in specific process groups. > > Using personal certificates is no problem, I have some admins which also use > there personal certificates. But with certificates you would have to add and > manage users manually in NIFI. Users can of course being added to internal > groups in NIFI and policy configured to groups. > > > > reagrd > > Jens > > > > Den tir. 19. okt. 2021 kl. 07.43 skrev Jakobsson Stefan > <stefan.jakobs...@scania.com>: > > We are currently authenticating with personal certificates, should we change > that then? > > > > Stefan Jakobsson > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > stefan.jakobs...@scania.com > > > > From: Shawn Weeks <swe...@weeksconsulting.us> > Sent: den 18 oktober 2021 21:35 > To: users@nifi.apache.org > Subject: RE: Nifi and Registry behind Citrix ADC. > > > > Unless you’re operating the LB in TCP Mode you’ll need to configure NiFi to > use an alternative authentication method like SAML, LDAP, OIDC, etc. You’ll > also need to make sure that your proxy is passing the various HTTP headers > through to NiFi and that NiFi is expecting traffic from a proxy. If you look > in the nifi-user.log and nifi-app.log there might be some hints about what it > didn’t like. > > > > Thanks > > Shawn > > > > From: Jakobsson Stefan <stefan.jakobs...@scania.com> > Sent: Monday, October 18, 2021 2:26 PM > To: users@nifi.apache.org > Subject: RE: Nifi and Registry behind Citrix ADC. > > > > Ahh, no ADC as in applicationdelivery and loadbalancing 😊 > > > > Stefan Jakobsson > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > stefan.jakobs...@scania.com > > > > From: Lehel Boér <lehel.b...@gmail.com> > Sent: den 18 oktober 2021 15:03 > To: users@nifi.apache.org > Subject: Re: Nifi and Registry behind Citrix ADC. > > > > Hi Stefan, > > > > Please disregard my prior response. The name mislead me, I discovered ADC is > not the same as Active Directory. > > > > Kind Regards, > > Lehel Boér > > > > Lehel Boér <lehel.b...@gmail.com> ezt írta (időpont: 2021. okt. 18., H, > 14:54): > > Hi Stefan, > > > > Have you tried setting up NiFi with an LDAP provider? Here are a few useful > links. > > > > - > https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.4.1.1/nifi-security/content/ldap_login_identity_provider.html > > - https://pierrevillard.com/2017/01/24/integration-of-nifi-with-ldap > > > > Kind Regards, > > Lehel Boér > > > > Jakobsson Stefan <stefan.jakobs...@scania.com> ezt írta (időpont: 2021. okt. > 18., H, 13:02): > > Hello, > > > > I have some issues trying to run Nifi and Nifi-registry behind an ADC. Reason > for this is that we need Nifi be accessible from aws onto our onprem nifi > installation due demands from our IT sec department > > > > Anyhow, I can connect to Nifi-Registry on the servers ipconfig (i.e. > x.x.x.x:9443/nifi-registry) without problems, but if I try to use the URL > setup in the ADC with 9443 redirected to the nifiservers IP we get an error > saying: > > > > This page isn’t working > > nifiprod.oururl.com didn’t send any data. > > ERR_EMPTY_RESPONSE > > > > Anyone has any ideas what I should start looking at? I set the https.host to > 0.0.0.0 in nifi-registry.conf. > > > > Stefan Jakobsson > > > Systems Manager | Scania IT, IKCA | Scania CV AB > > Phone: +46 8 553 527 27 Mobile: +46 7 008 834 76 > > Forskargatan 20, SE-151 87 Södertälje, Sweden > > stefan.jakobs...@scania.com > >
