Welcome to the fourth article in the series of Apache NiFi. The last article
explained how to set up an Apache NiFi Docker container with a self-signed SSLcertificate. This article addresses the next pain point: how to create an Apache
NiFi cluster in Docker with SSL enabled. Unlike HTTP cluster, setting up Apache
NiFi cluster with SSL enabled in Docker introduces a new challenge: Hostname
verification.
For added security, if HTTPS connection is enabled, Apache NiFi will verify the Hostname of requests. Therefore each request sent to Apache NiFi must have a predefined hostname. Not only the external requests, but peer-to-peer communication of NiFi nodes in a cluster also go through HTTPS and are subject to hostname verification. If the hostname provided in the HTTPS request does not match the hostname defined in the SSL certificate, NiFi will throw a javax.net.ssl.SSLPeerUnverifiedException.
For added security, if HTTPS connection is enabled, Apache NiFi will verify the Hostname of requests. Therefore each request sent to Apache NiFi must have a predefined hostname. Not only the external requests, but peer-to-peer communication of NiFi nodes in a cluster also go through HTTPS and are subject to hostname verification. If the hostname provided in the HTTPS request does not match the hostname defined in the SSL certificate, NiFi will throw a javax.net.ssl.SSLPeerUnverifiedException.
If you are
traditionally deploying Apache NiFi: individual servers with known IP addresses,
it is easy to create certificates with those IP addresses. However, in a dynamic
environment like Docker, the hostname of a container is defined at the runtime
if you need flexible scaling options. Since Docker doesn't provide an option to define the hostname pattern in a scalable cluster, we have to stick to hard-coded Apache NiFi containers with predefined
hostnames to create a cluster. The disadvantage of this method is that it is
hard to scale up/down a cluster with hard-coded containers. Instead, you can
also set up an HTTP cluster and create a load balancer with HTTPS frontend and
SSL Termination between the client and NiFi UI. However, in this article, we
will stick to the SSL configuration at the cluster level.