4 Replies Latest reply on May 24, 2013 3:36 PM by ehle

    http to https redirection whilst using mod_cluster

    steljboss

      I had a very simple setup of 2 httpd+mod_cluster and 2 jboss 7.1.1 servers. The first 2 loadbalance & failover requests (sticky) on the 2 jboss servers.
      The Apache servers only had port 80 available to bind to and hence for that purpose I configured.

       

      httpd.conf

      Listen 192.168.5.54:80
      <VirtualHost 192.168.5.54:80>
       
        <Directory />
          Order deny,allow
          Allow from all
        </Directory>
       
       <Location /mod_cluster-manager>
          SetHandler mod_cluster-manager 
          Order deny,allow
          Allow from 192.168.5.54
        </Location>
        KeepAliveTimeout 60
        ManagerBalancerName mycluster
        ServerAdvertise Off
       EnableMCPMReceive
       
      </VirtualHost>
      

       

      jboss standalone-ha.xml (with TCP for the comms between server<-->httpd for the mod_cluster ie. jboss.mod_cluster.proxyList=192.168.5.54:80,192.168.5.55:80)

       

       

      <subsystem xmlns="urn:jboss:domain:modcluster:1.0">
          <mod-cluster-config advertise-socket="modcluster" proxy-list="${jboss.mod_cluster.proxyList:192.168.5.54:80,192.168.5.55:80}" domain="${jboss.domain:DefaultPortalDomain}" excluded-contexts="invoker,jbossws,juddi,console" sticky-session="true">
              <dynamic-load-provider>
                  <load-metric type="busyness"/>
              </dynamic-load-provider>
          </mod-cluster-config>
      </subsystem>
      

       

      That works like a charm BUT Now I am required to redirect all HTTP requests arriving on httpd+mod_cluster to HTTPS. I do not wish to get the certificates all the way to the JBoss servers
      and simply want to handle the SSL handshake on the Apache server but my configuration seems not work. Any thoughts?

       

      The problems I am having are
      a) Option A: a) With Option A: (Described below) if VirtualHost on 80 always redirects to VirtualHost on 443 then on which VirtualHost do I configure the mod_cluster (on 443 or on another?) and where will the TCP server<-->httpd for the mod_cluster comms be configured to? (in both apache servers, only IP changes)

       

      <VirtualHost 192.168.5.54:80>
       
        <Directory />
          Order deny,allow
          Allow from all
        </Directory>
        
        Redirect permanent / https://192.168.5.54:443/
        or 
        #RewriteEngine on
        #RewriteCond %{SERVER_PORT} 80
        #RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}  [R,L]
      </VirtualHost>
      

       

      and then the Virtual Host for the mod_cluster

       

      # MOD_CLUSTER_ADDS
      <IfModule manager_module>
        Listen 192.168.5.54:443
        ManagerBalancerName STELIOS-LOCAL-CLUSTER
        Maxsessionid 5000
        <VirtualHost 192.168.5.54:443>
          <Location />
           Order deny,allow
           Deny from all
           Allow from 192.168.5.54
          </Location>
          KeepAliveTimeout 300
          MaxKeepAliveRequests 0
          EnableMCPMReceive
       AllowDisplay on
          <Location /mod_cluster_manager>
             SetHandler mod_cluster-manager
             Order deny,allow
             Deny from all
             Allow from 192.168.5.54
          </Location>
       
       SSLEngine on
          SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
          SSLCertificateFile "C:/httpd-2.2/conf/server.crt"
          SSLCertificateKeyFile "C:/httpd-2.2/conf/server.pem"
        </VirtualHost>
      </IfModule>
      

       

      but that means that my servers will have to communicate with the mod_cluster in apache via https. I have not created the certificates these are given to me so
      not sure if I can setup ssl between JBossWEB --> httpd [1][2]

       

      b) With Option B: as I have seen here [3] the problems are that a different port is used in the mod_cluster VirtualHost (ie. <VirtualHost 127.0.0.1:6666>) and the redirection between 80 --> 443 does not seem to include in the redirection anywhere that VirtualHost. Hence as I see it standalone-ha.xml would have to configure the mod-cluster subsystem to communicate on 6666 BUT when requests arrive on 80 they can never get loadbalanced then as they are never directed to 6666
       
      I am using mod_cluster 1.2.2 (to overcome some mod_ssl.so issues). Any pointers would be highly appreciated

       

      [1] http://docs.jboss.org/mod_cluster/1.2.0/html/UsingSSL.html#d0e2944
      [2] http://serverfault.com/questions/429604/securing-ssl-requests-with-mod-cluster
      [3] https://community.jboss.org/message/777305?_sscc=t