Use of SNI routing in Nifi ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Use of SNI routing in Nifi ?

Pat White-2
Hi Folks,

Has anyone tried using SNI routing with Nifi?

I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.


Reply | Threaded
Open this post in threaded view
|

Re: Use of SNI routing in Nifi ?

Andy LoPresto
Hi Pat,

Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 9:19 AM, Pat White <[hidden email]> wrote:

Hi Folks,

Has anyone tried using SNI routing with Nifi?

I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.



Reply | Threaded
Open this post in threaded view
|

Re: Use of SNI routing in Nifi ?

Pat White-2
Hi Andy,
Thanks very much for the feedback, and my apologies for being vague. I have not used SNI so i have some learning to do.

Specific use case we were asked about relates with Nifi to Nifi transfers, so not the webservice itself but rather S2S. 
I was wondering if S2S protocol supports SNI, and if so some pointers on how to configure that.

patw

On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <[hidden email]> wrote:
Hi Pat,

Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 9:19 AM, Pat White <[hidden email]> wrote:

Hi Folks,

Has anyone tried using SNI routing with Nifi?

I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.



Reply | Threaded
Open this post in threaded view
|

Re: Use of SNI routing in Nifi ?

Andy LoPresto
Thanks Pat. The S2S protocol uses TLS as a component, and attempts to use the highest protocol version supported by both endpoints. For Java 8, this should be TLSv1.2, and for Java 11, TLSv1.3 (introduced in upcoming NiFi 1.12.0). 

NiFi itself doesn’t support hosting multiple instances on the same port, so the only way I see this being applicable is if a load balancer/reverse proxy in front of NiFi + other services attempted to identify and route incoming traffic based on SNI. 

I tried to craft a realistic scenario for this email but I couldn’t get to a point where it made sense. If you have a specific desired scenario, I can try to analyze it, but the entire concept of having multiple NiFi services or NiFi + other services be exposed on the same port and use SNI to differentiate seems unnecessary to me. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 12:05 PM, Pat White <[hidden email]> wrote:

Hi Andy,
Thanks very much for the feedback, and my apologies for being vague. I have not used SNI so i have some learning to do.

Specific use case we were asked about relates with Nifi to Nifi transfers, so not the webservice itself but rather S2S. 
I was wondering if S2S protocol supports SNI, and if so some pointers on how to configure that.

patw

On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <[hidden email]> wrote:
Hi Pat,

Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 9:19 AM, Pat White <[hidden email]> wrote:

Hi Folks,

Has anyone tried using SNI routing with Nifi?

I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.




Reply | Threaded
Open this post in threaded view
|

Re: Use of SNI routing in Nifi ?

Pat White-2
Thank you Andy, certainly appreciate you looking at this. The use of a frontend proxy is an excellent point, both to handle the routing as well as adding isolation for Nifi.

Thanks again for the help.

patw

On Fri, May 22, 2020 at 3:53 PM Andy LoPresto <[hidden email]> wrote:
Thanks Pat. The S2S protocol uses TLS as a component, and attempts to use the highest protocol version supported by both endpoints. For Java 8, this should be TLSv1.2, and for Java 11, TLSv1.3 (introduced in upcoming NiFi 1.12.0). 

NiFi itself doesn’t support hosting multiple instances on the same port, so the only way I see this being applicable is if a load balancer/reverse proxy in front of NiFi + other services attempted to identify and route incoming traffic based on SNI. 

I tried to craft a realistic scenario for this email but I couldn’t get to a point where it made sense. If you have a specific desired scenario, I can try to analyze it, but the entire concept of having multiple NiFi services or NiFi + other services be exposed on the same port and use SNI to differentiate seems unnecessary to me. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 12:05 PM, Pat White <[hidden email]> wrote:

Hi Andy,
Thanks very much for the feedback, and my apologies for being vague. I have not used SNI so i have some learning to do.

Specific use case we were asked about relates with Nifi to Nifi transfers, so not the webservice itself but rather S2S. 
I was wondering if S2S protocol supports SNI, and if so some pointers on how to configure that.

patw

On Fri, May 22, 2020 at 1:14 PM Andy LoPresto <[hidden email]> wrote:
Hi Pat,

Are you asking if NiFi’s internal web server supports SNI or if NiFi processors/framework connecting to external services can resolve SNI? Maybe some more context around your question would help us answer. 


Andy LoPresto
[hidden email]
[hidden email]
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On May 22, 2020, at 9:19 AM, Pat White <[hidden email]> wrote:

Hi Folks,

Has anyone tried using SNI routing with Nifi?

I believe Jetty supports the TLS extension for SNI but have not tried using it, would appreciate any feedback if someone has tried this. Thank you.