问题描述
我有一个 Nifi 和一个 Nifi-Registry,它们都在 docker + docker-compose 之上的 Nginx 代理后面的两个不同的 AWS EC2 实例上运行。一切都运行良好,虽然不安全,但通过 HTTP。
现在我正在努力让事情变得更安全:
- 使用自签名 SSL/TLS 证书保护 Nifi-Registry
- 在从浏览器访问 Nifi-Registry 时添加基本身份验证。
- 使用客户端-服务器证书确保客户端-服务器(nifi nifi-registry)之间的通信安全。
我看到了 Michal Klempa 撰写的这篇 https://michalklempa.com/2019/04/nifi-registry-nginx-proxy-tls-basic-auth/ 博文。 按照上面链接中描述的方法,我在访问 https://[MY-NIFI-REG-HOST].com:18433/nifi-registry 时设法获得了基本身份验证的 Nifi-Registry 请求。 下一步是让Nifi绕过客户端-服务器证书认证。
我已将 https://[MY-NIFI-REG-HOST].com:18433 作为“注册表客户端”添加到 Nifi 控制器设置中。 但是,当我尝试对 Nifi 处理器组之一启动版本控制时,出现以下错误:
看起来 Nifi 无法使用其客户端证书对 Nifi-Registry 实例上的 Nginx 进行身份验证,因此 Nginx 回复 401。
我曾多次尝试按照说明进行操作,但我不确定自己哪里出错了。
这是我的 Nifi-Registry 实例 docker-compose.yaml 配置和 Nginx 反向代理设置:
version: '3.4'
services:
Nginx:
image: Nginx:latest
container_name: Nginx
restart: always
depends_on:
- nifi_registry
ports:
- 18443:18443
volumes:
- ~/Nginx/conf.d/default.conf:/etc/Nginx/conf.d/default.conf
- ~/Nginx/server_cert.pem:/etc/Nginx/server_cert.pem
- ~/Nginx/server_key.pem:/etc/Nginx/server_key.pem
- ~/Nginx/client_cert.pem:/etc/Nginx/client_cert.pem
- ~/Nginx/htpasswd:/etc/Nginx/htpasswd
networks:
- static-network
nifi_registry:
image: apache/nifi-registry:latest
restart: always
container_name: nifi-registry
ports:
- 18080:18080
environment:
- NIFI_REGISTRY_WEB_HTTP_HOST=0.0.0.0
networks:
- static-network
volumes:
share_dir: {}
networks:
static-network:
ipam:
config:
- subnet: 172.20.0.0/16Nginx default.conf 与作者博文中的相同:
server {
listen 18443 ssl;
root /usr/share/Nginx/html;
index index.html;
server_name _;
ssl_certificate /etc/Nginx/server_cert.pem;
ssl_certificate_key /etc/Nginx/server_key.pem;
ssl_client_certificate /etc/Nginx/client_cert.pem;
ssl_verify_client optional;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# disabled insecure ciphers suite. For example,MD5,DES,RC4,PSK
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
# -!MEDIUM:exclude encryption cipher suites using 128 bit encryption.
# -!LOW: exclude encryption cipher suites using 64 or 56 bit encryption algorithms
# -!EXPORT: exclude export encryption algorithms including 40 and 56 bits algorithms.
# -!aNULL: exclude the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms.
# These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged.
# -!eNULL:exclude the "NULL" ciphers that is those offering no encryption.
# Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
# @STRENGTH:sort the current cipher list in order of encryption algorithm key length.
location / {
if ($ssl_client_verify = SUCCESS) {
set $auth_basic off;
}
if ($ssl_client_verify != SUCCESS) {
set $auth_basic "Restricted Content";
}
auth_basic $auth_basic;
auth_basic_user_file /etc/Nginx/htpasswd;
proxy_pass http://nifi-registry:18080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-User $remote_user;
proxy_set_header Authorization "";
proxy_set_header X-ProxyScheme $scheme;
proxy_set_header X-ProxyHost $hostname;
proxy_set_header X-ProxyPort $server_port;
proxy_set_header X-Proxycontextpath /;
}
}在 Nifi 实例上,所有内容都如博客文章中所述,我已将 CA 签名的 client_keystore.p12 和 client_trustorestore.p12 文件连同需要nifi.properties
我想我错过了什么,或者客户端-服务器证书不匹配...希望有人能指出这一点。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)