[cetic/nifi] 'Page was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint' when using external SSL certificate

[kobethuwis]

Running NiFi in an EKS cluster, exposed by an ingress-nginx-controller. Recently bound a SSL-certificate to the ingress-nginx-controller, managing SSL termination by default across applications. The NiFi UI however won't load the details of it's controller services when using this public SSL certificate in the UI.

Error

Thrown in the web browser after clicking the UI cogwheel element inside the Controller Services menu:

jquery.min.js:2 Mixed Content: The page at 'https://XXXX/nifi/?processGroupId=3cf200f7-0184-1000-fb6f-807fab309b7e&componentIds=' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://XXXX/nifi-api/controller-services/3d119b18-0184-1000-030a-648fd104fb54?uiOnly=tru

Chart

We use the 1.1.1 version of the Chart backed by a 1.16.3 version of the official NiFi docker image.

  values = [
    <<EOT
replicaCount: 1

image:
  repository: XXXXXXXX
  tag: ${var.nifi_version}
  pullPolicy: Always

auth:
  singleUser:
    username: "XXXXXXXXXXXX"
    password: "XXXXXXXXXXXX"

properties:
  sensitiveKey: "XXXXXXXXXXXX"
  webProxyHost: "${var.host_nifi}"
  externalSecure: true
  httpsPort: 9443

service:
  httpsPort: 9443

ca:
  enabled: true
  persistence:
    enabled: false

ingress:
  enabled: true
  annotations: {
    nginx.ingress.kubernetes.io/app-root: "/nifi",
    kubernetes.io/ingress.class:  "nginx",
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

  }
  hosts:
    - ${var.host_nifi}

jvmMemory: 32g

persistence:
  enabled: true

resources:
  limits:
    cpu: 4000m
    memory: 32Gi
  requests:
    cpu: 2000m
    memory: 16Gi

zookeeper:
  enabled: true
  replicaCount: 1
  EOT
  ]
}

[Himanshu-pvt-repo]

NIFI is quite new to me, and I am also experiencing the issue described above. I have tried so many things to resolve this issue, but have not been successful. Could someone please help us?

[wknickless]

The problem is likely in this line:

    nginx.ingress.kubernetes.io/app-root: "/nifi",

As you see in the error message, the NiFi UI doesn't just access /nifi, it also accesses /nifi-api. So your Ingress configuration is not complete. See also #22 for more background.

[Himanshu-pvt-repo]

I have tried without a path in the ingress, but I am still receiving the same error.

[kobethuwis]

The problem is likely in this line:

    nginx.ingress.kubernetes.io/app-root: "/nifi",

As you see in the error message, the NiFi UI doesn't just access /nifi, it also accesses /nifi-api. So your Ingress configuration is not complete. See also #22 for more background.

That line simply specifies what to resolve to when navigating to /; the path of the ingress is still "/" so should be able to handle both /nifi & /nifi-api

[kobethuwis]

After some digging I've managed to setup a proxy as mentioned here. I did need to remove nginx.ingress.kubernetes.io/app-root: "/nifi", since it resolved to localhost:9443/nifi with the proxy in place.

@Himanshu-pvt-repo I'm using port 9443 instead of 8443 for the HTTPS resolving since our ingress-nginx-controller runs on 8443, which presents a ton of issues when exposing the Nifi UI on the same port. The remapping of the port might not be necessary in your case.

Final chart setup

resource "helm_release" "nifi" {
  depends_on = [XXXXXXXX, XXXXXXXX]

  repository = "https://cetic.github.io/helm-charts"
  chart      = "nifi"
  name       = "nifi"
  namespace  = var.namespace
  version    = var.chart_tag
  wait       = true

  values = [
    <<EOT
replicaCount: 1

image:
  repository: XXXXXXXX
  tag: ${var.nifi_version}
  pullPolicy: Always

auth:
  singleUser:
    username: XXXXXXXX
    password: XXXXXXXX

properties:
  sensitiveKey: XXXXXXXX
  webProxyHost: "${var.host_nifi}"
  httpsPort: 9443

service:
  httpsPort: 9443

ingress:
  enabled: true
  hosts:
    - ${var.host_nifi}
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/upstream-vhost: "localhost:9443"
    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://localhost:9443"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header X-ProxyScheme "https";
      proxy_set_header X-ProxyPort "443";

jvmMemory: 32g

persistence:
  enabled: true

resources:
  limits:
    cpu: 4000m
    memory: 32Gi
  requests:
    cpu: 2000m
    memory: 16Gi

zookeeper:
  enabled: true
  replicaCount: 1

registry:
  enabled: true
  url: "https://nifi-registry:"
  port: 18080

  image:
    repository: ${data.aws_ecr_repository.nifi_registry.repository_url}
    pullPolicy: Always
    tag: ${var.nifi_registry_version}

  persistence:
    enabled: false

metrics:
  prometheus:
    enabled: true
    serviceMonitor:
      enabled: true

  EOT
  ]
}

[github-actions]

This issue is stale because it has not seen recent activity. Remove stale label or comment or this will be closed.