Unable to reverse proxy requests to Nifi running in the backend using client auth mechanism

balu nginx-forum at forum.nginx.org
Mon Dec 21 11:48:54 UTC 2020


I have configured Nginx as reverse proxy server for my Nifi Application
running in the backend on port 9443;

Here goes my nginx conf:


worker_processes 1;

events { worker_connections 1024; }

http {

    map_hash_bucket_size 128;
    sendfile on;
    large_client_header_buffers 4 64k;

    upstream nifi {
        server cloud-analytics-test2-nifi-a.insights.io:9443;
    }



    server {
        listen 443 ssl;
        #ssl on;
        server_name nifi-test-nginx.insights.np.vocera.io;
        ssl_certificate /etc/nginx/cert1.pem;
        ssl_certificate_key /etc/nginx/privkey1.pem;

        ssl_client_certificate /etc/nginx/nifi-client.pem;
        ssl_verify_client optional_no_ca;
        ssl_verify_depth 2;

        error_log /var/log/nginx/error.log debug;

        proxy_ssl_certificate /etc/nginx/cert1.pem;
        proxy_ssl_certificate_key /etc/nginx/privkey1.pem;
        proxy_ssl_trusted_certificate /etc/nginx/nifi-client.pem;

        location / {
            proxy_pass https://nifi;
            proxy_set_header X-ProxyScheme https;
            proxy_set_header X-ProxyHost nifi-test-nginx.insights.io;
            proxy_set_header X-ProxyPort 443;
            proxy_set_header X-ProxyContextPath /;
            proxy_set_header X-ProxiedEntitiesChain "<$ssl_client_s_dn>";
            proxy_set_header X-SSL-CERT $ssl_client_escaped_cert;
        }
    }

}

When ever I try to access Nifi using Nginx Reverse Proxy Address/hostname I
am getting below error.




```2020/12/21 11:46:45 [debug] 14165#0: *5 SSL_shutdown: 1
2020/12/21 11:46:45 [debug] 14165#0: *5 reusable connection: 0
2020/12/21 11:46:45 [debug] 14165#0: *5 free: 000055F192862800
2020/12/21 11:46:45 [debug] 14165#0: *5 free: 000055F192801300
2020/12/21 11:46:45 [debug] 14165#0: *5 free: 000055F19280EC50, unused: 8
2020/12/21 11:46:45 [debug] 14165#0: *5 free: 000055F1928596D0, unused: 384
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL handshake handler: 0
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_do_handshake: -1
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_get_error: 2
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL handshake handler: 0
2020/12/21 11:46:45 [debug] 14165#0: *6 verify:0, error:2, depth:1,
subject:"/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA",
issuer:"/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority"
2020/12/21 11:46:45 [debug] 14165#0: *6 verify:1, error:2, depth:0,
subject:"/CN=nifi-admin.insights.io", issuer:"/C=AT/O=ZeroSSL/CN=ZeroSSL RSA
Domain Secure Site CA"
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_do_handshake: 1
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL: TLSv1.2, cipher:
"ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD"
2020/12/21 11:46:45 [debug] 14165#0: *6 reusable connection: 1
2020/12/21 11:46:45 [debug] 14165#0: *6 http wait request handler
2020/12/21 11:46:45 [debug] 14165#0: *6 malloc: 000055F192801300:1024
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_read: -1
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_get_error: 2
2020/12/21 11:46:45 [debug] 14165#0: *6 free: 000055F192801300
2020/12/21 11:46:45 [debug] 14165#0: *6 http wait request handler
2020/12/21 11:46:45 [debug] 14165#0: *6 malloc: 000055F192801300:1024
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_read: 570
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_read: -1
2020/12/21 11:46:45 [debug] 14165#0: *6 SSL_get_error: 2
2020/12/21 11:46:45 [debug] 14165#0: *6 reusable connection: 0
2020/12/21 11:46:45 [debug] 14165#0: *6 posix_memalign:
000055F1928687C0:4096 @16
2020/12/21 11:46:45 [debug] 14165#0: *6 http process request line
2020/12/21 11:46:45 [debug] 14165#0: *6 http request line: "GET /favicon.ico
HTTP/1.1"
2020/12/21 11:46:45 [debug] 14165#0: *6 http uri: "/favicon.ico"
2020/12/21 11:46:45 [debug] 14165#0: *6 http args: ""
2020/12/21 11:46:45 [debug] 14165#0: *6 http exten: "ico"
2020/12/21 11:46:45 [debug] 14165#0: *6 posix_memalign:
000055F192854110:4096 @16
2020/12/21 11:46:45 [debug] 14165#0: *6 http process request header line
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Host:
nifi-test-nginx.insights.io"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Connection:
keep-alive"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/87.0.4280.88 Safari/537.36"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Accept:
image/avif,image/webp,image/apng,image/*,*/*;q=0.8"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Sec-Fetch-Site:
same-origin"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Sec-Fetch-Mode:
no-cors"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Sec-Fetch-Dest:
image"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Referer:
https://nifi-test-nginx.insights.io/nifi/?processGroupId=root&componentIds=87a087ca-0175-1000-ca56-1d437d733fb0"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Accept-Encoding: gzip,
deflate, br"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header: "Accept-Language:
en-US,en;q=0.9"
2020/12/21 11:46:45 [debug] 14165#0: *6 http header done
2020/12/21 11:46:45 [info] 14165#0: *6 client SSL certificate verify error:
(2:unable to get issuer certificate) while reading client request headers,
client: 49.207.211.47, server: nifi-test-nginx.insights.io, request: "GET
/favicon.ico HTTP/1.1", host: "nifi-test-nginx.insights.io", referrer:
"https://nifi-test-nginx.insights.io/nifi/?processGroupId=root&componentIds=87a087ca-0175-1000-ca56-1d437d733fb0"
2020/12/21 11:46:45 [debug] 14165#0: *6 http finalize request: 495,
"/favicon.ico?" a:1, c:1
2020/12/21 11:46:45 [debug] 14165#0: *6 event timer del: 11: 2253744188
2020/12/21 11:46:45 [debug] 14165#0: *6 http special response: 495,
"/favicon.ico?"
2020/12/21 11:46:45 [debug] 14165#0: *6 http set discard body
2020/12/21 11:46:45 [debug] 14165#0: *6 HTTP/1.1 400 Bad Request
Server: nginx/1.18.0
Date: Mon, 21 Dec 2020 11:46:45 GMT
Content-Type: text/html
Content-Length: 617
Connection: close
```

Can someone help me in fixing above error.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,290255,290255#msg-290255



More information about the nginx mailing list