Nifi upstream connect error with https

Question

Nifi upstream connect error with https

Nho Luong 25

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111

Hi All,

I have deploy apache/nifi:1.19.1 and EXPOSE 8080 and my azure container app running but then i have access my URLs on browser then show error:

==============
"" => upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111""

Current i have use Azure Application Gateway (Standard_v2) and don't have configuration with authentication_certificate then i only use trusted root cert from my provider, i mean i NO use CA from Let's Encrypt or Cert self-signed

Then i have debugs an my App Gateway SKU: Standard_v2 no support ❌ truststore and No support setup with authentication_certificate
=> The NiFi backend is requesting TLS (either mTLS or strict TLS handshake), while Application Gateway is not authenticating or not getting the trusted certificate (because you are using Standard_v2)

QUESTIONs:

**The problem is that my current customer wants to save costs when using azure and still wants to keep the current Standard_v2 version, so how can I use https with port 433, or 8443 for Nifi and App Gateway SKU: Standard_v2 is still supported

I mean still use Standard_v2 and how to bypass the configuration of https for the current Nifi**

G Sree Vidya 750 Reputation points Microsoft External Staff

2025-03-26T07:20:17.7233333+00:00
Hi Nho Luong

You can set up the gateway to handle HTTPS for external clients and have NiFi listen on HTTP internally.

We request you to please check below details:

Configure NIFI for HTTP and Make sure it should listen Port 8080 for HTTP traffic instead of HTTPS.

Enable HTTPS on Application Gateway’s frontend using a trusted SSL certificate.

Configure the gateway to listen on port 443 with its own SSL certificate, terminate the SSL connection, and forward traffic to NiFi's exposed port 8080 via HTTP. Ensure network settings allow this connection without firewall blocks.

Certificates required to allow backend servers - Azure Application Gateway | Microsoft Learn

After making changes we request to restart Nifi and check.

For more information, please refer this document:

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview

Let me know if the above steps helps and if you have any further questions feel free to reach out to us.
Alex Burlachenko 4,310 Reputation points

2025-03-26T07:26:09.7166667+00:00

Hi Nho Luong,

are you must use backend HTTPS (8443) or without backend? Depends of u answer I would try to answer of u questions

rgds,

Alex
Nho Luong 25 Reputation points

2025-03-26T09:22:18.1733333+00:00
Yes, i have try backend HTTPS (8443) and try
Listener: HTTPS on port 443

Backend HTTP Settings:

Protocol: HTTP

Port: 8080

Pick host name from backend target ✅

App Gateway terminates HTTPS → forwards via HTTP to NiFi on port 8080 But the same error
Alex Burlachenko 4,310 Reputation points

2025-03-26T09:38:24.4166667+00:00

Hi again,

So i suppouse the error persists because even though you've configured SSL termination at the Application Gateway, NiFi itself may still be enforcing HTTPS connections or rejecting the plain HTTP traffic from the gateway. When using Standard_v2 with backend HTTP, you must ensure NiFi is properly configured to accept HTTP-only connections. verify your nifi.properties file has HTTPS completely disabled by checking that nifi.web.https.host is empty and HTTP is enabled on port 8080. Also confirm that any reverse proxy headers or security filters in NiFi aren't enforcing HTTPS. The Application Gateway's health probes might be failing if they're not reaching an open HTTP endpoint - try configuring them to target /nifi-api/flow/status with HTTP. Additionally, check your Azure network security groups to ensure traffic from the Application Gateway's private IP is allowed on port 8080. If NiFi's UI or API still redirects to HTTPS despite your configuration, there may be lingering security settings in authorizers.xml or login-identity-providers.xml enforcing secure connections. For troubleshooting, examine NiFi's logs for connection attempts from the gateway's IP to identify if requests are being rejected. Temporarily disabling all security in NiFi (setting nifi.security.keystorePasswd and related properties to empty values) can help isolate whether the issue is certificate-related. Remember that Standard_v2 cannot properly validate backend certificates, so forcing HTTPS between gateway and NiFi will likely fail - stick with HTTP for backend communication and rely on Azure's private network security.

rgds, Alex
Alex Burlachenko 4,310 Reputation points

2025-03-26T09:50:09.2433333+00:00
a small add - normally recommended architecture is

Internet User → HTTPS (443) → App Gateway Standard_v2 → HTTP (8080) → NiFi Container
Try to modify your NiFi configuration to - Disable HTTPS for internal communication

Keep HTTP listener on port 8080 (or your chosen port)

#In nifi.properties

nifi.web.https.host= #Leave empty to disable HTTPS

nifi.web.http.host=0.0.0.0

nifi.web.http.port=8080

Configure Application Gateway for HTTPS Termination

For frontend Configuration:

Create a frontend listener on port 443 with your public certificate

This handles SSL termination at the gateway

For backend Configuration:

Point to your NiFi container's IP/port (8080)

Use HTTP protocol (not HTTPS) for backend communication

Configure health probes to use HTTP

Since internal traffic will be HTTP restrict NiFi container access to only the Application Gateway's private IP. Use NSG rules to block direct internet access to NiFi .Consider adding a Web Application Firewall (WAF) policy if needed. May be tha would help. Let me to knw if so

rgds,

Alex
G Sree Vidya 750 Reputation points Microsoft External Staff

2025-03-27T06:19:10.4933333+00:00

Hello Nho Luong,

I wanted to follow up and check if you had the opportunity to review the information provided by Alex Burlachenko in our previous post.

Additionally, please refer to the document below for health probes:

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting

Kindly let us know if the above helps or you need further assistance on this issue.
Nho Luong 25 Reputation points

2025-03-27T09:19:08.7266667+00:00

Hello @G Sree Vidya

try configuring them to target /nifi-api/flow/status

=> done but still error

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
=> I have done and correct with two suddomain before and running but with nifi i have try more solution and refactor more time then apply new config but the same error.

I have dropped

Thank you for all then direct support to me this case.

Cheers,
Vinay B 245 Reputation points Microsoft External Staff

2025-03-31T08:54:10.58+00:00

Hello Nho Luong

We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Vinay B 245 Reputation points Microsoft External Staff

2025-04-02T08:14:29.1833333+00:00

Hi Nho Luong

I just wanted to follow up and see if you had a chance to review response to your question.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Accepted answer

0 additional answers

Your answer

G Sree Vidya 750 Reputation points Microsoft External Staff

2025-03-26T07:20:17.7233333+00:00

Hi Nho Luong

You can set up the gateway to handle HTTPS for external clients and have NiFi listen on HTTP internally.

We request you to please check below details:

Configure NIFI for HTTP and Make sure it should listen Port 8080 for HTTP traffic instead of HTTPS.

Enable HTTPS on Application Gateway’s frontend using a trusted SSL certificate.

Configure the gateway to listen on port 443 with its own SSL certificate, terminate the SSL connection, and forward traffic to NiFi's exposed port 8080 via HTTP. Ensure network settings allow this connection without firewall blocks.

Certificates required to allow backend servers - Azure Application Gateway | Microsoft Learn

After making changes we request to restart Nifi and check.

For more information, please refer this document:

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview

Let me know if the above steps helps and if you have any further questions feel free to reach out to us.
Alex Burlachenko 4,310 Reputation points

2025-03-26T07:26:09.7166667+00:00

Hi Nho Luong,

are you must use backend HTTPS (8443) or without backend? Depends of u answer I would try to answer of u questions

rgds,

Alex
Nho Luong 25 Reputation points

2025-03-26T09:22:18.1733333+00:00

Yes, i have try backend HTTPS (8443) and try
Listener: HTTPS on port 443

Backend HTTP Settings:

Protocol: HTTP

Port: 8080

Pick host name from backend target ✅

App Gateway terminates HTTPS → forwards via HTTP to NiFi on port 8080 But the same error
Alex Burlachenko 4,310 Reputation points

2025-03-26T09:38:24.4166667+00:00

Hi again,

So i suppouse the error persists because even though you've configured SSL termination at the Application Gateway, NiFi itself may still be enforcing HTTPS connections or rejecting the plain HTTP traffic from the gateway. When using Standard_v2 with backend HTTP, you must ensure NiFi is properly configured to accept HTTP-only connections. verify your nifi.properties file has HTTPS completely disabled by checking that nifi.web.https.host is empty and HTTP is enabled on port 8080. Also confirm that any reverse proxy headers or security filters in NiFi aren't enforcing HTTPS. The Application Gateway's health probes might be failing if they're not reaching an open HTTP endpoint - try configuring them to target /nifi-api/flow/status with HTTP. Additionally, check your Azure network security groups to ensure traffic from the Application Gateway's private IP is allowed on port 8080. If NiFi's UI or API still redirects to HTTPS despite your configuration, there may be lingering security settings in authorizers.xml or login-identity-providers.xml enforcing secure connections. For troubleshooting, examine NiFi's logs for connection attempts from the gateway's IP to identify if requests are being rejected. Temporarily disabling all security in NiFi (setting nifi.security.keystorePasswd and related properties to empty values) can help isolate whether the issue is certificate-related. Remember that Standard_v2 cannot properly validate backend certificates, so forcing HTTPS between gateway and NiFi will likely fail - stick with HTTP for backend communication and rely on Azure's private network security.

rgds, Alex
Alex Burlachenko 4,310 Reputation points

2025-03-26T09:50:09.2433333+00:00

a small add - normally recommended architecture is

Internet User → HTTPS (443) → App Gateway Standard_v2 → HTTP (8080) → NiFi Container
Try to modify your NiFi configuration to - Disable HTTPS for internal communication

Keep HTTP listener on port 8080 (or your chosen port)

#In nifi.properties

nifi.web.https.host= #Leave empty to disable HTTPS

nifi.web.http.host=0.0.0.0

nifi.web.http.port=8080

Configure Application Gateway for HTTPS Termination

For frontend Configuration:

Create a frontend listener on port 443 with your public certificate

This handles SSL termination at the gateway

For backend Configuration:

Point to your NiFi container's IP/port (8080)

Use HTTP protocol (not HTTPS) for backend communication

Configure health probes to use HTTP

Since internal traffic will be HTTP restrict NiFi container access to only the Application Gateway's private IP. Use NSG rules to block direct internet access to NiFi .Consider adding a Web Application Firewall (WAF) policy if needed. May be tha would help. Let me to knw if so

rgds,

Alex
G Sree Vidya 750 Reputation points Microsoft External Staff

2025-03-27T06:19:10.4933333+00:00

Hello Nho Luong,

I wanted to follow up and check if you had the opportunity to review the information provided by Alex Burlachenko in our previous post.

Additionally, please refer to the document below for health probes:

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting

Kindly let us know if the above helps or you need further assistance on this issue.
Nho Luong 25 Reputation points

2025-03-27T09:19:08.7266667+00:00

Hello @G Sree Vidya

try configuring them to target /nifi-api/flow/status

=> done but still error

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting
=> I have done and correct with two suddomain before and running but with nifi i have try more solution and refactor more time then apply new config but the same error.

I have dropped

Thank you for all then direct support to me this case.

Cheers,
Vinay B 245 Reputation points Microsoft External Staff

2025-03-31T08:54:10.58+00:00

Hello Nho Luong

We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.
Vinay B 245 Reputation points Microsoft External Staff

2025-04-02T08:14:29.1833333+00:00

Hi Nho Luong

I just wanted to follow up and see if you had a chance to review response to your question.

Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Answer 1

Hi @Nho Luong

Can you please follow the approach below and confirm? This was also suggested by @Alex Burlachenko

An external user sends an HTTPS request tohttps://<app-gateway-domain>/nifi The application gateway receives this request on port 443 and performs SSL termination.

The decrypted HTTP traffic is then forwarded by the Application Gateway to NiFi on port 8080 (as NiFi is configured to accept HTTP internally). NiFi, which is running on HTTP internally, processes the request and sends the response back to the Application Gateway.

Since the communication between NiFi and the Application Gateway happens over HTTP, the traffic is unencrypted. However, when the application gateway sends the response back to the external user, the response is re-encrypted as it is sent through the SSL connection (on HTTPS port 443).

With this setup, the Application Gateway handles SSL termination and forwards unencrypted HTTP traffic to NiFi. This approach is easier to manage and more cost-effective, meeting the user’s requirement to use the Standard_v2 SKU while keeping the system secure and functional.

**I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

**
I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.

Nho Luong 25 Reputation points

2025-04-16T03:22:18.5966667+00:00

Still no fix but i need drop and close this ticket.

Thank you for all then help me this case

Cheers.

Share via

Nifi upstream connect error with https

0 additional answers

Your answer