8 Replies Latest reply on Nov 21, 2012 5:42 AM by cjayaprakash

mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 15, 2012 6:13 AM

I am using mod_cluster 1.2 as a load balancer and JBoss AS 7.1.1.Final as nodes. I have configured AJP connector in JBoss and mod_cluster is connected with JBoss nodes.

I want to achieve the following,

Client <--HTTPS--> Balancer <--AJP--> JBoss

JBoss is connecting to mod_cluster and with HTTP & HTTPS, I am able to access the nodes using mod_cluster. But I want to do the HTTP to HTTPS redirection.

The redirection works only if JBoss node is not registered with mod_cluster.

When one or more JBoss node is registered with mod_cluster, the HTTP to HTTPS redirection doesn't work. When I disable the context in mod_cluster_manager, it works.

Here is my mod_cluster configuration,

LoadModule actions_module modules/mod_actions.so

LoadModule alias_module modules/mod_alias.so

LoadModule asis_module modules/mod_asis.so

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authz_default_module modules/mod_authz_default.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_user_module modules/mod_authz_user.so

LoadModule autoindex_module modules/mod_autoindex.so

LoadModule cgi_module modules/mod_cgi.so

LoadModule dir_module modules/mod_dir.so

LoadModule env_module modules/mod_env.so

LoadModule include_module modules/mod_include.so

LoadModule isapi_module modules/mod_isapi.so

LoadModule log_config_module modules/mod_log_config.so

LoadModule mime_module modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule ssl_module modules/mod_ssl.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_cluster_module modules/mod_proxy_cluster.so

LoadModule manager_module modules/mod_manager.so

LoadModule slotmem_module modules/mod_slotmem.so

LoadModule advertise_module modules/mod_advertise.so

LogLevel debug

ServerName localhost

Listen 127.0.0.1:6666

ManagerBalancerName mycluster

Order deny,allow

Allow from all

</Location>

SetHandler mod_cluster-manager

Order deny,allow

Deny from all

Allow from 127.0.0

</Location>

KeepAliveTimeout 300

MaxKeepAliveRequests 0

AdvertiseFrequency 5

EnableMCPMReceive

</VirtualHost>

</IfModule>

Listen 80

RewriteEngine on

RewriteCond %{SERVER_PORT} 80

RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

</VirtualHost>

Listen 443

Order deny,allow

Allow from all

</Location>

SSLEngine On

SSLCACertificateFile C:/work/certs/gs/root.pem

SSLCertificateChainFile C:/work/certs/gs/inter.pem

SSLCertificateFile C:/work/certs/gs/kc.pem

SSLCertificateKeyFile C:/work/certs/gs/key.key

</VirtualHost>

When JBoss is not registered with mod_cluster, and I try `http://localhost` it is redirected to `https://localhost`. But when a JBoss node is registered the HTTPS redirection is not working. It is opening the page in HTTP mode only. Please help me to resolve this.

1. Re: mod_cluster http to https redirection doesn't work when node is registered

mbabacek Nov 15, 2012 7:26 AM (in response to cjayaprakash)

OK, let's move the debate from http://stackoverflow.com/questions/13363588/mod-cluster-https-redirect-is-not-working-when-an-application-server-is-register to this thread :-)

What was wrong with the config I posted on stackoverflow? Can you show me any debug logs?
The configuration you present here is wrong - there is no ssl in m_c's virtualHost.

Can you try the config I posted on stackoverflow and tell me what exactly is wrong?
Actions
2. Re: mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 19, 2012 9:24 AM (in response to mbabacek)

Hi Mike,

Thanks for your reply. With your configuration JBoss is not connecting to m_c.

With following JBoss configuration,
<mod-cluster-config proxy-list="127.0.0.1:8888" advertise="false" excluded-contexts="admin-console,invoker,jbossws,jmx-console,juddi,web-console"/>
got the following error,

19:52:34,728 ERROR [org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Error [null: null: {4}] sending command INFO to proxy 127.0.0.1/127.0.0.1:8888, configuration will be reset

As per your configuration, do I need to use Worker<--HTTPS-->Balancer for MCMP?
Actions
3. Re: mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 20, 2012 1:20 AM (in response to cjayaprakash)

Hi Mike,

I have configured the Worker<--HTTPS-->Balancer configuration. But still same effect. When Jboss is registered with m_c, the redirection is not working.

Here is my m_c configuration,

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule manager_module modules/mod_manager.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule advertise_module modules/mod_advertise.so

ErrorLog "logs/error_log"
LogLevel debug

ServerName localhost

Listen 8800
<VirtualHost 127.0.0.1:8800>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^8888$
RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI}
</VirtualHost>

<IfModule manager_module>
Listen 8888
ManagerBalancerName qacluster
<VirtualHost 127.0.0.1:8888>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>

    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive

    #ServerAdvertise on
    #AdvertiseGroup 224.0.1.105:6666

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>

    SSLEngine On
    SSLCACertificateFile C:/work/certs/gs/gs_root.pem
    SSLCertificateChainFile C:/work/certs/gs/gs_inter.pem
    SSLCertificateFile C:/work/certs/gs/kc.pem
    SSLCertificateKeyFile C:/work/certs/gs/kc.key

</VirtualHost>
</IfModule>

JBoss configuration,
        <subsystem xmlns="urn:jboss:domain:modcluster:1.0">
            <mod-cluster-config proxy-list="127.0.0.1:8888" advertise="false" excluded-contexts="admin-console,invoker,jbossws,jmx-console,juddi,web-console">
                <ssl key-alias="1" password="changeit" certificate-key-file="C:\Users\jai\.keystore" ca-certificate-file="C:\work\certs\gs\ca.jks"/>
            </mod-cluster-config>
        </subsystem>

After JBoss is registered with m_c the link http://localhost:8800/mcm itself not working.

Here is the debug logs from m_c,
[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:13 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:13 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:13 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:13 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:14 2012] [notice] Advertise initialized for process 6148
[Tue Nov 20 11:43:14 2012] [notice] Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0g mod_cluster/1.2.0.Final configured -- resuming normal operations
[Tue Nov 20 11:43:14 2012] [notice] Server built: Feb 9 2012 22:24:33
[Tue Nov 20 11:43:14 2012] [notice] Parent: Created child process 5660
[Tue Nov 20 11:43:14 2012] [debug] mpm_winnt.c(477): Parent: Sent the scoreboard to the child
[Tue Nov 20 11:43:14 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:15 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:15 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:15 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [debug] mod_advertise.c(577): [5660 - 6148] in child post config hook
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Child process is running
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(398): Child 5660: Retrieved our scoreboard from the parent.
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 128 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 124 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(595): Parent: Sent 2 listeners to child 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(554): Child 5660: retrieved 2 listeners from parent
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 5660 for worker proxy:reverse
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 5660 for (*) min=0 max=64 smax=64
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Acquired the start mutex.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting 64 worker threads.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8888.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8800.
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
Actions
4. Re: mod_cluster http to https redirection doesn't work when node is registered

jfclere Nov 20, 2012 2:20 AM (in response to cjayaprakash)

"After JBoss is registered with m_c the link http://localhost:8800/mcm itself not working."
1 - use https://localhost:8888/mcm
2 - are you sure you need SSL between AS and httpd?
3 - what was the real problem? the direct doesn't work with mod_cluster when a node is registered? (that rings bells I have fixed "recently" a related bug. (JBEWS-78)
Actions
5. Re: mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 20, 2012 2:30 AM (in response to jfclere)

Hi Jean,

Thanks for your reply.

No, I dont need SSL between AS and httpd. I tried that as per Michael's suggestion.

I want to achieve this
Client <--SSL--> Balancer <--AJP--> Workers

I did the above setup and SSL is working. The problem is I want to do the HTTPS redirection like when http://jboss.org is hit I need to redirect the page to https://jboss.org. It is not working in mod_cluster when one or more workers (JBoss) are registered with m_c.

I am using JBoss AS 7.1.1 & m_c 1.2.0

Please help.
Actions
6. Re: mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 20, 2012 3:48 AM (in response to jfclere)

Jean,

I am unable to see the bug JBEWS-78 (https://issues.jboss.org/browse/JBEWS-78). Do I need special permission for this?
Actions
7. Re: mod_cluster http to https redirection doesn't work when node is registered

jfclere Nov 20, 2012 4:22 AM (in response to cjayaprakash)

weird... Basically you need 1.2.2.Final to fix the problem.
Actions
8. Re: mod_cluster http to https redirection doesn't work when node is registered

cjayaprakash Nov 21, 2012 5:42 AM (in response to jfclere)

Thanks. I have downloaded latest mod_cluster code and compiled 4 mod_cluster so (advertise, cluster, etc) and used.

It works!!!
Actions

Go to original post