Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
can't access UI with secured cluster
See original GitHub issueDescribe the bug
Following the issue #45 , when the authentication is enabled I can’t access the UI, I receive either :
System Error
The request contained an invalid host header [abc.com] in the request [/nifi].
Check for request manipulation or third-party intercept.
Valid host headers are [empty] or:
127.0.0.1 127.0.0.1:9443 ....
or :
503 service temporarily unavailable
openresty/1.15.8.2
Version of Helm and Kubernetes:
Helm: “v3.0.2”
kubernetes: “v1.17.1”
What happened:
NiFi UI is unreachable
After this update Allow whitelisting expected Host values, NiFi accepts requests where the Host header contains an expected value. Currently, the expected values are driven by the .host properties in nifi.properties.
This issue seems to be similar to the issue we’re having, so reading the following :
<< You will need a stable network identity that you can use to configure as your “proxy” in advance. For example in a testing scenario where you have access to the kubernetes cluster you can simply use “localhost” as the name of the proxy and use kubernetes port forward to tunnel requests from the localhost to your individual nodes (only one node at a time).
Another option that could better work for non-local use cases is to use a LoadBalancer service in front of the nodes and configure DNS to point to your LoadBalancer IP. If you want to do this in advance it is possible to create floating IPs and preconfigure DNS for it at almost any cloud provider. Then add the configured DNS to nifi.web.proxy.host property when starting your cluster. If setting up DNS is not an option you can use the IP directly. If setting up the IP in advance is not an option you may use an arbitrary hostname as the proxy host and add that hostname to your hosts file (or dnsmasq or company dns) to point to the dynamically generated LoadBalancer IP after NiFi started up. >>
I tried to create a host name for the minikube IP in the /etc/hosts file and preconfigured that DNS in nifi.web.proxy.host variable in nifi.properties ( also nifi.web.proxy.context.path and nifi.web.https.host ) I ended up getting one or the other from the errors above (also tried the ip address directly not only the dns) .
What you expected to happen:
Access the NiFi UI with a dns that I pass in the ingress config and in the webProxyHost variable.
How to reproduce it (as minimally and precisely as possible):
- Clone the branch feature\ldap.
- In the
values.yamlfile: enable and pass the ldap config and change the http/https (httpPort/httpsPort) ports and set to true the variables isSecure and clusterSecure. - Give your minikube IP a DNS in the etc/hosts file and pass that DNS in the webProxyHost variable.
- Enable ingress and set the .host variable to your DNS.
Anything else we need to know:
in the ingress.yaml file I changed {{- $ingressPort := .Values.service.httpPort -}} to {{- $ingressPort := .Values.service.httpsPort -}} and when I try to access the DNS it didn’t work as well ( it downloads file ).
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The issue (besides the
{{- $ingressPort := .Values.service.httpsPort -}}change) seems to be that the ingress is trying to communicate with the secured Nifi using HTTP instead of HTTPS, in my case adding the HTTPS backend annotation to the ingress worked (I’m using the nginx ingress controller)This issue has been resolved with the commit : https://github.com/cetic/helm-nifi/commit/dbc0712785298c898d80dc4d10100cacec33a102