I have a NiFi instance running on Docker, we use a Reverse-Proxy**(Traefik)** to send the requests to the NiFi docker instance.
When my NiFi instance is running on HTTP I am able to reach the NiFi UI from the internet. Considering we wanted to have login option, I was working to setup HTTPS as login auth is not possible on HTTP NiFi instance.The setup is all working when I apply a global level SSL verify skip in the Reverse-Proxy level using insecureSkipVerify, but I would not want to do that and when I am on the normal setup to verify the certificates that are generated by NiFi automatically which is a Self-Signed cert it fails with the following error
{"level":"debug","msg":"'500 Internal Server Error' caused by: x509: cannot validate certificate for 10.0.2.60 because it doesn't contain any IP SANs","time":"2022-10-21T10:29:18Z"}
Also checked the /etc/hosts file
root@mynifi:/opt/nifi/nifi-current/conf# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.2.60 mynifi
The issue is when Traefik is acting as the load-balancer it seems to be trying to access the service using IP address instead of Hostname
{"ForwardURL":{"Scheme":"https","Opaque":"","User":null,"Host":"10.0.2.60:8443","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"Request":"{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/nifi/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Cookie\":[\"__Secure-Request-Token=00c9e232-fb30-44e0-a41e-fc0b5ba6b9b5\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0\"],\"X-Forwarded-Host\":[\"example.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"d9c0b0e2855e\"],\"X-Proxyhost\":[\"example.domain.com\"],\"X-Proxyport\":[\"443\"],\"X-Proxyscheme\":[\"https\"],\"X-Real-Ip\":[\"143.155.67.98\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"example.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.52.48:51731\",\"RequestURI\":\"/nifi/\",\"TLS\":null}","level":"debug","msg":"vulcand/oxy/roundrobin/rr: Forwarding this request to URL","time":"2022-10-21T15:23:35Z"}
Is there an option to have the hostname defined within the docker-compose file to be used instead of the IP as my service is accessible using the hostname as I was able to confirm that via the curl command on the docker container.
As the docker containers IP keeps changing each time its redeployed I would really be difficult to generate a certificate with IP of the container.
I tried to use the below labels but I am not sure if its the right one to use in this case
- "traefik.http.middlewares.nifi-redirect.redirectregex.permanent=true"
- "traefik.http.middlewares.nifi-redirect.redirectregex.regex=^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?):8443"
- "traefik.http.middlewares.nifi-redirect.redirectregex.replacement=mynifi:8443"
Please do let me know if any additional details are needed