7 Replies Latest reply on Dec 12, 2012 7:39 PM by soneill

    https URL weirdness

    soneill

      I've got mod cluster front two jboss app servers, semi-working.

       

      1)  Ocassionally getting the bad gateway/502 error - I think i read that there's a fix or a workaround for that.  I'll come back to this after I deal with 2)

       

      2)  More frustrating is trying to track down why when I hit https://webhost:port/context I get redirected to https://x.x.x.x:port/context.  Basically, I am being redirected from my web server proxy to the backend host, and that backend hosts's ip becomes the new servername in the URL.   However, when I hit https://webhost:port/context/path - the URL remains unchanged.   I find this to be weird.

       

      I suspect I am missing an obvious configuration parameter.  Can anyone suggest some parameters to (re)review?

        • 1. Re: https URL weirdness
          jfclere
          1 of 1 people found this helpful
          • 2. Re: https URL weirdness
            mbabacek

            Hi Steven,

            ad 1), yes, it is: JBPAPP6-1170 , whereas the easiest solution for you would be to upgrade to mod_cluster 1.2.3.Final that has the fix included (the bug was in the native part).

            ad 2), this is weird indeed. Could you show me your config, so as I can proof read it?

             

            BTW: Ad 1) Are you 100% positive you need HTTPS between balancer and worker nodes? Isn't it enough to have client - balancer communication encrypted and use AJP for balancer - worker nodes communication (probably being on your trusted network)? Consider the performance overhead...

            1 of 1 people found this helpful
            • 3. Re: https URL weirdness
              soneill

              Thank you both for the responses.  I am in the process of trying out those suggestions now.  I had gotten distracted by other tasks.

               

               

              To add to the second point, if I include a trailing slash, ala, https://webhost:port/pathinstead of https://webhost:port/path, things work just fine. 

               

              I will try Jean-Frederic's suggestions first, then I will post the results along with my config.

               

              Michal - that is an important point about the performance overhead gains by terminating ssl earlier int he process.  In this case of sensitive data though, depending on various industry regulations, I believe, https/secure communication is required all the way through, even if its on the internal  trusted network, yes?

              • 4. Re: https URL weirdness
                soneill

                Okay, with the "ProxyPreserveHost On", I end up with this error:

                 

                Not Found

                 

                The requested URL <blah> was not found on this server.

                 

                 

                So I turned that off, and tried the proxy-host and proxy-port settings.   This worked to a degree.  Now when I hit https://webhost:port/context, I get back the same URL and expected content, but with an extra slash at the end of the URL: https://webhost:port/context/

                 

                 

                Here is my ssl config portion of my apache config:

                 

                LoadModule ssl_module /opt/jboss/httpd_jbdc/modules/mod_ssl.so

                LoadModule slotmem_module /opt/jboss/httpd_jbdc/modules/mod_slotmem.so

                LoadModule manager_module /opt/jboss/httpd_jbdc/modules/mod_manager.so

                LoadModule proxy_cluster_module /opt/jboss/httpd_jbdc/modules/mod_proxy_cluster.so

                LoadModule advertise_module /opt/jboss/httpd_jbdc/modules/mod_advertise.so

                 

                 

                 

                 

                AddType application/x-x509-ca-cert .crt

                AddType application/x-pkcs7-crl    .crl

                 

                 

                SSLPassPhraseDialog  builtin

                 

                 

                SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)

                SSLSessionCacheTimeout  300

                 

                 

                SSLMutex default

                 

                 

                SSLRandomSeed startup file:/dev/urandom  256

                SSLRandomSeed connect builtin

                 

                 

                SSLCryptoDevice builtin

                #ProxyPreserveHost On

                SSLProxyEngine On

                SSLProtocol all -SSLv2

                SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

                SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                SSLCertificateKeyFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.key

                 

                 

                NameVirtualHost 10.0.10.15:445

                MemManagerFile /var/cache/httpd

                 

                 

                Listen 6668

                <VirtualHost *:6668>

                    ManagerBalancerName jbdtdc

                    #ProxyPreserveHost On

                 

                 

                    SSLEngine on

                    SSLProxyEngine On

                    SSLProtocol all -SSLv2

                    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

                    SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                    SSLCertificateKeyFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.key

                 

                 

                    EnableMCPMReceive On

                    AdvertiseFrequency 5

                    ServerAdvertise off

                    CustomLog logs/ssl_request_modcluster_log \

                          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

                 

                 

                    LogLevel debug

                    ErrorLog logs/ssl_error_modcluster_log

                    TransferLog logs/ssl_access_modcluster_log

                </Virtualhost>

                 

                 

                Listen 445

                <VirtualHost *:445>

                    KeepAliveTimeout 60

                    MaxKeepAliveRequests 0

                    ManagerBalancerName jbdtdc

                 

                 

                    #ProxyPreserveHost On

                    SSLEngine on

                    SSLProxyEngine On

                    SSLProtocol all -SSLv2

                    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

                    SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                    #SSLCertificateChainFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                 

                 

                    <Location />

                      Order deny,allow

                      Allow from all

                    </Location>

                 

                 

                    <Location /mcm>

                        SetHandler mod_cluster-manager

                        Order deny,allow

                        Allow from all

                    </Location>

                 

                 

                    CustomLog logs/ssl_request_log \

                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

                 

                 

                    ErrorLog logs/ssl_error_log

                    TransferLog logs/ssl_access_log

                 

                 

                    LogLevel debug

                 

                 

                </VirtualHost>

                 

                 

                Listen 80

                <VirtualHost *:80>

                    RewriteEngine on

                    RewriteCond  %{SERVER_PORT} !^445$

                    RewriteRule ^(.*) https://%{SERVER_NAME}:445%{REQUEST_URI}

                </VirtualHost>

                • 5. Re: https URL weirdness
                  jfclere

                  are you sure for the extra / it might be you get a redirect to https://webhost:port/context/ for AS7?

                  to check curl -v https://webhost:port/context

                  • 6. Re: https URL weirdness
                    jfclere

                    With the ProxyPreserveHost On where does the 404 comes from? from AS7?

                    • 7. Re: https URL weirdness
                      soneill

                      I ended up running "curl -v -k https://webhost:port/context", since we aren't using a ca cert.   It returns a 404 with or without the "/" at the end of the context.

                       

                      With ProxyPerserveHost On, I do not have record of where the 404 comes from.

                       

                      In any case, I ended getting sufficient use out of the current configuartion and have no need to troubleshoot further.  Thank you for the assistance provided!