7 Replies Latest reply on Dec 17, 2009 3:34 AM by jfclere

    https to http proxy issue...

      I have a bit of a problem, i set up a mod_cluster/proxy box and i have a tomcat 6.0 webserver box.The webserver box has a SSL cert on it at this time and the proxy box does not. I created a proxylist in the modcluster listener on the webserver box to point to the Modcluster/proxy box. But it seems as if the proxy box is not picking up the web server box and vice versa. Both boxes are on the same network and there isn't a firewall in between them
      httpd.config :
      Listen 150.125.100.1:777
      <VirtualHost 150.125.100.1:777>
      ManagerBalancerName mybal
      ServerAdvertise off
      CreateBalancers 0
      #ProxyPass / balancer://mybal/ stickysession=JSESSIONID

      Order deny,allow
      Deny from all
      Allow from 150.125.100.2

      KeepAliveTimeout 60
      MaxKeepAliveRequests 0

      <Location /mod_cluster-manager>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from 150.125.100.1


      server.xml:

      <!-- mod cluster engine node -->

        • 1. Re: https to http proxy issue...

          it got cut off:

          server.xml:

          <!-- mod cluster engine node -->

          • 2. Re: https to http proxy issue...

            I have a bit of a problem, i set up a mod_cluster/proxy box and i have a tomcat 6.0 webserver box.The webserver box has a SSL cert on it at this time and the proxy box does not. I created a proxylist in the modcluster listener on the webserver box to point to the Modcluster/proxy box. But it seems as if the proxy box is not picking up the web server box and vice versa
            httpd.config :

            Listen 150.125.100.1:777
            <VirtualHost 150.125.100.1:777>
             ManagerBalancerName mybal
             ServerAdvertise off
             CreateBalancers 0
             #ProxyPass / balancer://mybal/ stickysession=JSESSIONID
             <Directory />
             Order deny,allow
             Deny from all
             Allow from 150.125.100.2
             </Directory>
             KeepAliveTimeout 60
             MaxKeepAliveRequests 0
            </VirtualHost>
            <Location /mod_cluster-manager>
             SetHandler mod_cluster-manager
             Order deny,allow
             Deny from all
             Allow from 150.125.100.1
            </Location>
            
            server.xml:
            <Listener className="org.jboss.modcluster.ModClusterListener"
             advertise="false"
             ProxyList="150.125.100.1:777"
             balancer="mybal"
             domain="node01"
             stickySession="true"
             stickySessionForce="false"
             stickySessionRemove="false"
             nodeTimeout="300"
             ssl="false"
             sslKeyStorePass="password"
             sslKeyStore="keystore"
             sslKeyStoreType="JKS"
             sslTrustStore="truststore.jks"
             sslTrustStoreType="JKS"
             sslTrustStorePassword="password" />
            <!-- mod cluster engine node -->
             <Engine name="jboss.web" defaultHost="localhost" jvmRoute="node01" >
            
            


            • 3. Re: https to http proxy issue...
              jfclere

              See http://www.jboss.org/mod_cluster/ssl.html
              You have to configure the VirtualHost on httpd side

              • 4. Re: https to http proxy issue...
                jfclere
                Copy + paste of a answer I have deleted by accident:
                +++
                I installed the ssl cert on the mod_cluster box successfully and it works over port 80. But when i set up the tomcat server with it's ssl connector to connect to the mod_cluster box through 443 its not connecting. i'm not getting any error in the logs.Any thing u can think of?

                SSLSessionCache        "shmcb:/opt/jboss/httpd/httpd/logs/ssl_scache(512000)"
                SSLSessionCacheTimeout  300
                Listen 150.125.0.1:443
                <VirtualHost 150.125.0.1:443>
                   SSLEngine off
                   SSLCertificateFile  /opt/ssl/cert/cert.crt
                   SSLCertificateKeyFile /opt/ssl/cert/key.key
                   SSLCACertificatePath /opt/ssl/cert/
                   SSLVerifyClient none
                   SSLVerifyDepth  10
                   #ServerAdvertise off
                   <Directory  />
                Order deny,allow
                Deny from all
                Allow from 150.125.0.
                   </Directory>
                   KeepAliveTimeout 60
                   MaxKeepAliveRequests 0
                </VirtualHost>

                <Listener className="org.jboss.modcluster.ModClusterListener"
                advertise="false"
                ProxyList="150.125.0.1:443"
                       balancer="mybal"
                domain="ws01"
                       stickySession="true"
                       stickySessionForce="false"
                       stickySessionRemove="false"
                       nodeTimeout="300"
                ssl="true"
                       sslKeyStorePass="changeit"
                       sslKeyStore="keystore"
                       sslKeyStoreType="JKS"
                       sslTrustStore="truststore.jks"
                       sslTrustStoreType="JKS"
                sslTrustStorePassword="pass" />

                <Connector
                port="443" minSpareThreads="5" maxSpareThreads="75"
                enableLookups="true" disableUploadTimeout="true"
                acceptCount="100" maxThreads="200"
                scheme="https" secure="true" SSLEnabled="true"
                keystoreFile="keystore" keystorePass="pass"
                truststoreType="JKS" truststoreFile="truststore.jks" truststorePass="pass"
                clientAuth="false" sslProtocol="TLS" ciphers="xxxxx,xxxx,xxxx,xxxx"
                />

                <Connector port="8009" protocol="AJP/1.3" redirectPort="443" URIEncoding="UTF-8" />
                +++
                • 5. Re: https to http proxy issue...
                  jfclere
                  SSLEngine off
                  Why it should be on, no?
                  Use a browser (or curl) and check that you can connect from jboss to the httpd one via https://150.125.0.1/
                  • 6. Re: https to http proxy issue...

                    Oh sorry, I guess i turned the SSLEngine off while trying a few things out.

                     

                    I just turned it on. I can connect to the httpd server from the tomcat server using curl. It seems as if the issue is either on the handshake or something else. I've verified my certs and everything as well. I appreciate your responses, thank you.

                    • 7. Re: https to http proxy issue...
                      jfclere
                      ciphers="xxxxx,xxxx,xxxx,xxxx" looks weird for me.