Enable ROOT seems to enable admin-console, jmx-console, etc?
davidmac Aug 23, 2012 11:04 AMI am experimented with setting up mod_cluster with SSL because we have a requirement that all comms are encrypted between web server and app server. For my development of the configuration, I have downloaded and installed
mod_cluster-1.2.0.Final-bin.tar.gz
mod_cluster-1.2.0.Final-linux2-x64-ssl.tar.gz
jboss-5.1.0.GA (this matches current env.)
In my configuration on the web server I have (attempting to trim out all but important points):
CreateBalancers 0
Listen 6666
<VirtualHost _default_:6666>
SSLEngine on
SSLCertificateFile blah
SSLCertificateKeyFile blah
SSLCACertificateFile blah
SSLVerifyClient require
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ServerAdvertise Off
EnableMCPMReceive
<Location />
Order deny,allow
Deny from all
Allow from 127.0.0 <and local net>
</Location>
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 127.0.0 <and local net>
</Location>
</VirtualHost>
Listen 443
<VirtualHost _default_:443>
...SSL configuration stuff that works...
SSLProxyEngine on
SSLProxyCACertificateFile blah
</VirtualHost>
I have deployed a simple "sample" app in jboss/server/all/deploy and I start the server with these settings added in run.conf:
JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.proxyList=<thehostname>:6666"
JAVA_OPTS="${JAVA_OPTS} -Djboss.mod_cluster.advertise=false"
JAVA_OPTS="${JAVA_OPTS} -Djboss.modcluster.excludedContexts=admin-console,invoker,jbossws,jmx-console,juddi,web-console"
In the browser I can retrieve the sample app just fine. Note that I have removed ROOT from the excludedContexts because this is what our app requires. I will later deploy our app for the next stage of test but for now this is just vanilla JBoss with that sample.war file deployed (hello word).
I can also hit the base URL http://somehost/ and get the "Welcome to JBoss AS" screen which has links to the admin console, jmx console, etc. Since I have those contexts (e.g admin-console,jmx-console) excluded, I would not expect to click the link and be able to browse them. However, I can click and see the jmx console or web console just fine. Here is what http://somehost:6666/mod_cluster_manager looks like:
================
mod_cluster/1.2.0.Final
Auto Refresh show DUMP output show INFO output
Node 4d7bf108-427e-3c7b-ac0a-f0c1a51ef97c (https://x.x.x.x:8443):
Enable Contexts Disable Contexts
Balancer: ecombalancer,LBGroup: ,Flushpackets: Off,Flushwait: 10000,Ping: 10000000,Smax: 26,Ttl: 60000000,Status: OK,Elected: 24,Read: 347692,Transferred: 28356,Connected: 0,Load: 86
Virtual Host 1:
Contexts:
/sample, Status: ENABLED Request: 0 Disable
/, Status: ENABLED Request: 0 Disable
Aliases:
localhost
================
Any idea why I can browse to those contexts even though they don't show up in the manager and I have them excluded? Maybe I missed something in the config? I need to understand how to control this to prevent security issues.
Thanks!
(EDITED to remove host name)