如何解决nginx 处理器后面的 docker 上的 Nifi 配置未打开
按照指南 ( https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/ ) 设置 nginx 基本身份验证,但是我不是为 nifi-registry 设置代理,而是为 nifi 设置它。身份验证正在工作并且页面可以访问,但不知何故处理器配置窗口未打开。这个问题是由于 nginx 造成的,因为通过暴露的 HTTP 端口直接访问 nifi 是可行的,只是不在 nginx 代理后面。
以下是我正在使用的配置:
server {
listen 9988 ssl;
root /usr/share/nginx/html;
index index.html;
server_name _;
ssl_certificate /etc/nginx/server_cert.pem;
ssl_certificate_key /etc/nginx/server_key.pem;
ssl_client_certificate /etc/nginx/client_cert.pem;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# Disabled insecure ciphers suite. For example,MD5,DES,RC4,PSK
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
# -!MEDIUM:exclude encryption cipher suites using 128 bit encryption.
# -!LOW: exclude encryption cipher suites using 64 or 56 bit encryption algorithms
# -!EXPORT: exclude export encryption algorithms including 40 and 56 bits algorithms.
# -!aNULL: exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
# These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
# -!eNULL:exclude the "NULL" ciphers that is those offering no encryption.
# Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
# @STRENGTH:sort the current cipher list in order of encryption algorithm key length.
location / {
if ($ssl_client_verify = SUCCESS) {
set $auth_basic off;
}
if ($ssl_client_verify != SUCCESS) {
set $auth_basic "Restricted Content. Please provide Nifi Authentication:";
}
auth_basic $auth_basic;
auth_basic_user_file /etc/nginx/nginx.htpasswd;
proxy_pass http://172.18.0.77:8181/; # actual container ip/port of nifi
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header Authorization "";
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $hostname;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-ProxyContextPath "/";
}
}
我尝试为 X-ProxyHost 传递 nifi/host/nginx 的容器 ip,但没有立即给出“无法与 nifi 通信”,而是旋转了一段时间并最终给出了相同的错误。这里需要修改什么?任何帮助将不胜感激。
解决方法
这里是 nginx 菜鸟! 在对多个 ip/主机名组合进行多次摆弄之后,我能够通过以下配置更改来修复它。 必须向 docker-compose 添加 nifi env 属性:
environment:
- NIFI_REMOTE_INPUT_HOST=<private ip of nifi container e.g. 172.18.0.77>
- NIFI_WEB_PROXY_CONTEXT_PATH=/
- NIFI_WEB_HTTP_HOST=<private ip of nifi container>
- NIFI_WEB_HTTP_PORT=8181
对于 nginx 配置:将 proxy_set_header 修改为“localhost”(因为 nginx 服务器需要将 proxyHost 定义为环回服务器):
proxy_set_header X-ProxyHost localhost;
希望这能帮助那些在同一条船上摸不着头脑的人:)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
