insecureSkipVerify How to apply this at a service level in docker compose

I am trying to host NiFi securely, the issue that I am facing now is that I get an Internal Server Error which is caused by the Self Signed Certificate generated by NiFi toolkit. I understand that this verification of the certificate can be ignored by adding the insecureSkipVerify property.

Error Message:

'500 Internal Server Error' caused by: x509: cannot validate certificate for <IP_Address> because it doesn't contain any IP SANs

I would like to understand how can this be applied at a service level rather than at the global Traefik level, I would not want to apply changes at a global level when other services are running fine.

I tried to use the property in the docker compose file but it doesn't seem to be right

- "traefik.http.services.nifi-flow.loadbalancer.serverstransport.insecureskipverify=true"

docker_compose.yml

version: "3.7"
services:
    # configuration manager for NiFi
    zookeeper:
        hostname: myzookeeper
        # container_name: zookeeper_container_persistent
        image: zookeeper:latest  
        restart: on-failure
        environment:
            - ALLOW_ANONYMOUS_LOGIN=yes
        networks:
            - apache-nifi-internal
        deploy:
            restart_policy:
                condition: any
                delay: 5s
                max_attempts: 3
                window: 120s
    nifi:
        user: root
        hostname: mynifi
        # container_name: nifi_container_persistent
        image: apache/nifi:latest
        restart: on-failure
        environment:
            - NIFI_WEB_HTTPS_PORT=8443
            - NIFI_WEB_HTTPS_HOST=0.0.0.0
            - NIFI_WEB_PROXY_HOST=localhost:8443, $DOCKER_HOST_URL:443, 0.0.0.0:8443, 127.0.0.1:8443
            - NIFI_WEB_PROXY_CONTEXT_PATH=/
            - SINGLE_USER_CREDENTIALS_USERNAME=admin
            - SINGLE_USER_CREDENTIALS_PASSWORD=ctsBtRBKHRAx69EqUghvvgEvjnaLjFEB
        volumes:
            - nifi_database_repository:/opt/nifi/nifi-current/database_repository
            - nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
            - nifi_content_repository:/opt/nifi/nifi-current/content_repository
            - nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
            - nifi_state:/opt/nifi/nifi-current/state
            - nifi_logs:/opt/nifi/nifi-current/logs
            - nifi_conf:/opt/nifi/nifi-current/conf
        networks:
            - apache-nifi-internal
            - traefik_proxy
        deploy:
            labels:
                # traefik
                - traefik.enable=true
                # service
                - traefik.http.services.nifi-flow.loadbalancer.server.port=8443
                - traefik.http.services.nifi-flow.loadbalancer.server.scheme=https
                - "traefik.http.services.nifi-flow.loadbalancer.serverstransport.insecureskipverify=true"
                # middlewares
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyScheme=https"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyHost=$DOCKER_HOST_URL"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyPort=443"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyContextPath:/"
                # Routers
                - traefik.http.routers.nifi-flow.middlewares=nifi-headers
                - traefik.http.routers.nifi-flow.service=nifi-flow
                - traefik.http.routers.nifi-flow.entrypoints=$TRAEFIK_HTTPS_ENTRYPOINT
                - traefik.http.routers.nifi-flow.tls=true
                - traefik.http.routers.nifi-flow.rule=Host(`$DOCKER_HOST_URL`) && PathPrefix(`/nifi`)
            restart_policy:
                condition: any
                delay: 120s
                max_attempts: 3
                window: 60s
networks:
  traefik_proxy:
    external: true
    name: traefik_webgateway
  apache-nifi-internal:
      
volumes:
  nifi_conf: {external: true}
  nifi_database_repository: {external: true}
  nifi_flowfile_repository: {external: true}
  nifi_content_repository: {external: true}
  nifi_provenance_repository: {external: true}
  nifi_state: {external: true}
  nifi_logs: {external: true}

One option seems to be to set it in the static config (not with labels). See docs.

Or you create a dynamic serverTransport and then assign it to a service. See docs.

Should the second option be specified within the docker compose file of the NiFi service ? Can you please share an example if possible.

I don't want to apply the insecureskipverify option at the global level to be true.

Dynamic config you can do in the labels of the service.

- "traefik.http.services.nifi-flow.loadbalancer.serverstransport.insecureskipverify=true"
- "traefik.http.services.nifi-flow.loadbalancer.serverstransports.insecureskipverify=true"

I tried both the above labels, but it doesn't seem to take effect. Its defined within the Service Labels, I also don't seem to find that option in the list of configurations for Docker

Look what I found in a Traefik issue:

There is currently no way to define a serversTransport using a docker label.

So you need to use a file provider with a dynamic configuration file.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.