5 Replies Latest reply on Aug 31, 2012 2:01 AM by jfclere

    Enable ROOT seems to enable admin-console, jmx-console, etc?

    davidmac

      I am experimented with setting up mod_cluster with SSL because we have a requirement that all comms are encrypted between web server and app server.  For my development of the configuration, I have downloaded and installed

       

      mod_cluster-1.2.0.Final-bin.tar.gz

      mod_cluster-1.2.0.Final-linux2-x64-ssl.tar.gz

      jboss-5.1.0.GA (this matches current env.)

       

      In my configuration on the web server I have (attempting to trim out all but important points):

       

       

      CreateBalancers 0

      Listen 6666

      <VirtualHost _default_:6666>

          SSLEngine on

          SSLCertificateFile blah

          SSLCertificateKeyFile blah

          SSLCACertificateFile blah

          SSLVerifyClient require

       

          KeepAliveTimeout 300

          MaxKeepAliveRequests 0

          ServerAdvertise Off

          EnableMCPMReceive

       

          <Location />

             Order deny,allow

             Deny from all

             Allow from 127.0.0 <and local net>

          </Location>

          <Location /mod_cluster_manager>

             SetHandler mod_cluster-manager

             Order deny,allow

             Deny from all

             Allow from 127.0.0 <and local net>

          </Location>

       

      </VirtualHost>

       

      Listen 443

      <VirtualHost _default_:443>

      ...SSL configuration stuff that works...

      SSLProxyEngine  on

      SSLProxyCACertificateFile blah

      </VirtualHost>

       

      I have deployed a simple "sample" app in jboss/server/all/deploy and I start the server with these settings added in run.conf:

      JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.proxyList=<thehostname>:6666"

      JAVA_OPTS="${JAVA_OPTS} -Djboss.mod_cluster.advertise=false"

      JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.excludedContexts=admin-console,invoker,jbossws,jmx-console,juddi,web-console"

       

      In the browser I can retrieve the sample app just fine.  Note that I have removed ROOT from the excludedContexts because this is what our app requires.  I will later deploy our app for the next stage of test but for now this is just vanilla JBoss with that sample.war file deployed (hello word).

       

      I can also hit the base URL http://somehost/ and get the "Welcome to JBoss AS" screen which has links to the admin console, jmx console, etc.  Since I have those contexts (e.g admin-console,jmx-console) excluded, I would not expect to click the link and be able to browse them.  However, I can click and see the jmx console or web console just fine.  Here is what http://somehost:6666/mod_cluster_manager looks like:

       

      ================

      mod_cluster/1.2.0.Final

      Auto Refresh show DUMP output show INFO output

      Node 4d7bf108-427e-3c7b-ac0a-f0c1a51ef97c (https://x.x.x.x:8443):

      Enable Contexts Disable Contexts

      Balancer: ecombalancer,LBGroup: ,Flushpackets: Off,Flushwait: 10000,Ping: 10000000,Smax: 26,Ttl: 60000000,Status: OK,Elected: 24,Read: 347692,Transferred: 28356,Connected: 0,Load: 86

      Virtual Host 1:

      Contexts:

      /sample, Status: ENABLED Request: 0 Disable 
      /, Status: ENABLED Request: 0 Disable

      Aliases:

      localhost 

      ================

       

      Any idea why I can browse to those contexts even though they don't show up in the manager and I have them excluded?  Maybe I missed something in the config? I need to understand how to control this to prevent security issues.

       

      Thanks!

       

      (EDITED to remove host name)