can't access UI with secured cluster
See original GitHub issueDescribe the bug
Following the issue #45 , when the authentication is enabled I can’t access the UI, I receive either :
System Error
The request contained an invalid host header [abc.com] in the request [/nifi].
Check for request manipulation or third-party intercept.
Valid host headers are [empty] or:
127.0.0.1 127.0.0.1:9443 ....
or :
503 service temporarily unavailable
openresty/1.15.8.2
Version of Helm and Kubernetes:
Helm: “v3.0.2”
kubernetes: “v1.17.1”
What happened:
NiFi UI is unreachable
After this update Allow whitelisting expected Host values, NiFi accepts requests where the Host header contains an expected value. Currently, the expected values are driven by the .host properties in nifi.properties.
This issue seems to be similar to the issue we’re having, so reading the following :
<< You will need a stable network identity that you can use to configure as your “proxy” in advance. For example in a testing scenario where you have access to the kubernetes cluster you can simply use “localhost” as the name of the proxy and use kubernetes port forward to tunnel requests from the localhost to your individual nodes (only one node at a time).
Another option that could better work for non-local use cases is to use a LoadBalancer service in front of the nodes and configure DNS to point to your LoadBalancer IP. If you want to do this in advance it is possible to create floating IPs and preconfigure DNS for it at almost any cloud provider. Then add the configured DNS to nifi.web.proxy.host property when starting your cluster. If setting up DNS is not an option you can use the IP directly. If setting up the IP in advance is not an option you may use an arbitrary hostname as the proxy host and add that hostname to your hosts file (or dnsmasq or company dns) to point to the dynamically generated LoadBalancer IP after NiFi started up. >>
I tried to create a host name for the minikube IP in the /etc/hosts file and preconfigured that DNS in nifi.web.proxy.host
variable in nifi.properties ( also nifi.web.proxy.context.path
and nifi.web.https.host
) I ended up getting one or the other from the errors above (also tried the ip address directly not only the dns) .
What you expected to happen:
Access the NiFi UI with a dns that I pass in the ingress config and in the webProxyHost variable.
How to reproduce it (as minimally and precisely as possible):
- Clone the branch feature\ldap.
- In the
values.yaml
file: enable and pass the ldap config and change the http/https (httpPort/httpsPort) ports and set to true the variables isSecure and clusterSecure. - Give your minikube IP a DNS in the etc/hosts file and pass that DNS in the webProxyHost variable.
- Enable ingress and set the .host variable to your DNS.
Anything else we need to know:
in the ingress.yaml
file I changed {{- $ingressPort := .Values.service.httpPort -}} to {{- $ingressPort := .Values.service.httpsPort -}} and when I try to access the DNS it didn’t work as well ( it downloads file ).
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top GitHub Comments
The issue (besides the
{{- $ingressPort := .Values.service.httpsPort -}}
change) seems to be that the ingress is trying to communicate with the secured Nifi using HTTP instead of HTTPS, in my case adding the HTTPS backend annotation to the ingress worked (I’m using the nginx ingress controller)This issue has been resolved with the commit : https://github.com/cetic/helm-nifi/commit/dbc0712785298c898d80dc4d10100cacec33a102