0

I have a nifi instance running on the

 https://localhost:9443/nifi
 https://delta:9443/nifi

The instance is still running on local. I want to have an internal https load balancer infront of the nifi instance. I have read that we can add the SAN ip address of the load balancer on the nifi-cert. I am still confused on DNS and SAN address. I have a self-signed certificate for the https load balancer and there is a DNS entry for the load balancer as well. Now when I create a standalone nifi CA, at that point do I have to give the DNS of the load balancer as

tls-toolkit.sh standalone -n 'loadbalancer DNS' -C 'CN=username,OU=NIFI' --subjectAlternativeNames 'lb-ip-address'

or am I missing something big??

Vivak P
  • 110
  • 6
dumb_coder
  • 315
  • 5
  • 21

1 Answers1

0

I am not sure if SAN flag would accept other thing than domain names and no IP addresses instead but according to this it might work.

-n flag should be populated with the domain name associated to your frontend (Load Balancer).

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Rocky
  • 21
  • 1
  • I have tired the same thing that is mentioned by you in your link. Somehow the jetty server does not bind the DNS name. I have checked that the DNS name s resolves to the load balancer ip as well – dumb_coder Sep 18 '20 at 10:01
  • You might try again first with an internal HTTP and if it works add or try with an internal HTTP(S) load balancer. Additional, you might take a look and see if it is not set up only for the localhost if yes you should change it from 127.0.0.1 to 0.0.0.0 [link](https://nifi.apache.org/docs/nifi-docs/html/getting-started.html#i-started-nifi-now-what). – Rocky Sep 21 '20 at 21:45
  • What I found out is that since the load balancer ip is not in the linux etc/hosts file, the jetty server will not bind the ip address. So I created the client certificate for standalone nifi and changed the load balancer from https to network load balancer. So now the TLS termination will happen at nifi – dumb_coder Sep 23 '20 at 08:36
  • It seems you have found a solution to your issue. Is that correct? – Rocky Sep 24 '20 at 23:56
  • Yes, ultimately when we use https load balancer on cloud, due to TLS termination, the request header is not the same as from the one originated from client side. Since I have the client certificate and not proxy certificate the Nifi will not accept it. So had to change the load balancer from https to tcp – dumb_coder Sep 25 '20 at 09:27