Nugget Post: Running NiFi behind an SSL reverse proxy

Scenario

User --- (HTTPS) --->  NGINX Reverse Proxy --- (HTTP) ---> NiFi

Typical NGINX Reverse Proxy config:

location /nifi {
        proxy_set_header Host $http_host;
        add_header "Access-Control-Allow-Credentials" "true";
        proxy_pass http://127.0.0.1:9900;
    }

Note: the proxy_set_header Host is necessary otherwise NiFi will return “localhost” or “127.0.0.1” in it’s links and you’ll end up with a bunch of HTTP 404 errors

Issues

  • Nifi might initially load, but any subsequent actions result in an error page along the lines of “cannot communicate to server”
  • Opening chrome/FF dev tools shows a “mixed content” error, basically saying that the browser did not allow a request for HTTP content to be served when the original (parent) site uses HTTPS

Solution

Add a single line to the above config:

location /nifi {
     proxy_set_header Host $http_host;
     add_header "Access-Control-Allow-Credentials" "true";
     proxy_pass http://127.0.0.1:9900;
     proxy_set_header X-ProxyScheme https; # <--------- ADD THIS
}

The new line adds the X-ProxyScheme header and sets it to https. NiFi does respect this header and returns all links prefixed with HTTPS rather than http