http to https redirection whilst using mod_cluster
steljboss Jan 15, 2013 12:46 PMI had a very simple setup of 2 httpd+mod_cluster and 2 jboss 7.1.1 servers. The first 2 loadbalance & failover requests (sticky) on the 2 jboss servers.
The Apache servers only had port 80 available to bind to and hence for that purpose I configured.
httpd.conf
Listen 192.168.5.54:80 <VirtualHost 192.168.5.54:80> <Directory /> Order deny,allow Allow from all </Directory> <Location /mod_cluster-manager> SetHandler mod_cluster-manager Order deny,allow Allow from 192.168.5.54 </Location> KeepAliveTimeout 60 ManagerBalancerName mycluster ServerAdvertise Off EnableMCPMReceive </VirtualHost>
jboss standalone-ha.xml (with TCP for the comms between server<-->httpd for the mod_cluster ie. jboss.mod_cluster.proxyList=192.168.5.54:80,192.168.5.55:80)
<subsystem xmlns="urn:jboss:domain:modcluster:1.0"> <mod-cluster-config advertise-socket="modcluster" proxy-list="${jboss.mod_cluster.proxyList:192.168.5.54:80,192.168.5.55:80}" domain="${jboss.domain:DefaultPortalDomain}" excluded-contexts="invoker,jbossws,juddi,console" sticky-session="true"> <dynamic-load-provider> <load-metric type="busyness"/> </dynamic-load-provider> </mod-cluster-config> </subsystem>
That works like a charm BUT Now I am required to redirect all HTTP requests arriving on httpd+mod_cluster to HTTPS. I do not wish to get the certificates all the way to the JBoss servers
and simply want to handle the SSL handshake on the Apache server but my configuration seems not work. Any thoughts?
The problems I am having are
a) Option A: a) With Option A: (Described below) if VirtualHost on 80 always redirects to VirtualHost on 443 then on which VirtualHost do I configure the mod_cluster (on 443 or on another?) and where will the TCP server<-->httpd for the mod_cluster comms be configured to? (in both apache servers, only IP changes)
<VirtualHost 192.168.5.54:80> <Directory /> Order deny,allow Allow from all </Directory> Redirect permanent / https://192.168.5.54:443/ or #RewriteEngine on #RewriteCond %{SERVER_PORT} 80 #RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </VirtualHost>
and then the Virtual Host for the mod_cluster
# MOD_CLUSTER_ADDS <IfModule manager_module> Listen 192.168.5.54:443 ManagerBalancerName STELIOS-LOCAL-CLUSTER Maxsessionid 5000 <VirtualHost 192.168.5.54:443> <Location /> Order deny,allow Deny from all Allow from 192.168.5.54 </Location> KeepAliveTimeout 300 MaxKeepAliveRequests 0 EnableMCPMReceive AllowDisplay on <Location /mod_cluster_manager> SetHandler mod_cluster-manager Order deny,allow Deny from all Allow from 192.168.5.54 </Location> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "C:/httpd-2.2/conf/server.crt" SSLCertificateKeyFile "C:/httpd-2.2/conf/server.pem" </VirtualHost> </IfModule>
but that means that my servers will have to communicate with the mod_cluster in apache via https. I have not created the certificates these are given to me so
not sure if I can setup ssl between JBossWEB --> httpd [1][2]
b) With Option B: as I have seen here [3] the problems are that a different port is used in the mod_cluster VirtualHost (ie. <VirtualHost 127.0.0.1:6666>) and the redirection between 80 --> 443 does not seem to include in the redirection anywhere that VirtualHost. Hence as I see it standalone-ha.xml would have to configure the mod-cluster subsystem to communicate on 6666 BUT when requests arrive on 80 they can never get loadbalanced then as they are never directed to 6666
I am using mod_cluster 1.2.2 (to overcome some mod_ssl.so issues). Any pointers would be highly appreciated
[1] http://docs.jboss.org/mod_cluster/1.2.0/html/UsingSSL.html#d0e2944
[2] http://serverfault.com/questions/429604/securing-ssl-requests-with-mod-cluster
[3] https://community.jboss.org/message/777305?_sscc=t