-
1. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
jfclere Nov 19, 2012 4:11 AM (in response to michadmin)"downstream server wanted client certificate but none are configured" that is the problem. Do you have
verify-client in the AS configuration?
-
2. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
michadmin Nov 21, 2012 3:45 PM (in response to jfclere)Merci Jean
setting verify-client="false" fixed the issue, it works now but intermittently i get expected response but when i refresh i get the following:
Bad Gateway
The proxy server received an invalid response from an upstream server.
Apache/2.2.15 (Red Hat) Server at www.mydomain.com Port 443
The following is in apache ssl error log:[error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:8843 (localhost)
[Wed Nov 21 14:04:50 2012] [error] proxy: pass request body failed to 127.0.0.1:8843 (localhost) from 127.0.0.1 ()
I looked it up and other people mention that app server configuration is not setup the same as webserver mod_cluster configuration. Any pointers on what configuration to look at?
Thanks,
Micky
-
3. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
jfclere Nov 22, 2012 7:43 AM (in response to michadmin)The "bad gateway" probably JBPAPP-9493 :-(
-
4. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
mbabacek Nov 22, 2012 8:25 AM (in response to michadmin)Jean-Frederic was probably too modest to mention his cool fix: https://github.com/modcluster/mod_cluster/commit/855cdda451eb561abe10463133f36360d5a302fe :-)
If you get this 502 at the same time as you observe httpd's CLOSE_WAIT sockets via netstat, the fix will help you.
BTW: ... and you probably don't want the SSLProxyVerify require.
-
5. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
michadmin Nov 25, 2012 12:34 PM (in response to mbabacek)@Jean how can i confirm that the problem i am having is JBPAPP-9493? i dont see anything in jboss logs. does this fix apply for jboss EAP6 too?
@Michael i am not using SSLProxyVerify require. I see CLOSE_WAIT already when starting jboss and apache before hitting the application. How many is a sign of the problem?
netstat -an | grep -i close
tcp 8 0 127.0.0.1:36368 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36381 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36376 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36373 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36378 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36369 127.0.0.1:8743 CLOSE_WAIT
tcp 8 0 127.0.0.1:36375 127.0.0.1:8743 CLOSE_WAIT
-
6. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
jfclere Nov 26, 2012 4:38 AM (in response to michadmin)"does this fix apply for jboss EAP6 too?" it is planned to fix the problem in 6.0.1 (JBPAPP6-1170).
-
7. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
michadmin Nov 26, 2012 11:40 AM (in response to jfclere)Thanks are there any instructions on installing the fix? I couldnt find them from the link above
-
8. Re: SSL configuration for mod_cluster in apache & JBOSS EAP 6
jfclere Nov 27, 2012 2:57 AM (in response to michadmin)if you have a support contract you should create a case and you will get your binary and the instructions how to install it, if no that is a bit more complex and that depends on the platform you are using.
The patch is in a C module so you need either try with the branch 1.2.x or checkout the tag corresponding to your EAP version.
To build mod_cluster use the instruction http://docs.jboss.org/mod_cluster/1.2.0/html/native.building.html to install the patch copy the mod_proxy_cluster.so to the httpd modules directory.