-
1. Re: SSL and mod_cluster - Security and topology questions
mbabacek Jun 7, 2013 7:28 AM (in response to rylphs)1 of 1 people found this helpfulHi Raphael,
Your idea is generally correct, the communication can be described as follows:
client's requests
clients <--SSL--> balancer <--SSL--> workers
MCMP messages (context configuration, load on each worker etc.)
balancer <--SSL--> workers
advertising (UDP multicast)
balancer --> udp_address:port
Let's take a look at the first two cases with which it makes sense to have encryption and authentication in place:
- You need a CA, a server certificate and a client certificate. Jean described the process in the documentation and I managed to set it up just by following the steps, take a look: Creating CA, server and client certificates.
- Your client, e.g. Firefox, has to have both CA and client certificate imported. One can test with curl as well:
curl https://raphibox:8888/st/session --cert Client/client.crt --key Client/client.key --cacert Client/myca.crt
Optionally with--insecure
in order to skip certificate validation. - Your balancer has to have something like this mod_cluster.conf in place. Note the
SSLProxyEngine On
. - Your AS7 workers have to be configured on two places: HTTPS connector (client's requests) and mod_cluster subsystem (MCMP communication). See this standalone-ha.xml configuration.
HTH :-)
-
2. Re: SSL and mod_cluster - Security and topology questions
rylphs Jun 7, 2013 9:47 AM (in response to mbabacek)Hello Michal,
Thanks for your reply. And what if I have
clients <--SSL--> balancer <--HTTP--> workers ?
Although the connections between clients and balancer are'nt secured, the connection between the clients and balancer are, right? If its true I would like to go more further and have these two connections (clients-balancer and balancer-worker) in two different networks like:
clients <--SSL(192.168.1.1)--> balancer <--HTTP/AJP(192.168.1.2)--> workers
In this way I could have a private network between balancer and workers and a public one between clients and balancer. Is that possible/viable? How can I have apache listenning on one interface and communicating with workers through another one?
Another question. I have read the mod_cluster docs in the SSL section: http://docs.jboss.org/mod_cluster/1.2.0/html_single/#UsingSSL
It says:
{quote}
There are 2 connections between the cluster and the front-end. Both could be encrypted. That chapter describes how to encrypt both connections.
{quote}
It describes the first as "SSL between JBossWeb and httpd", and the second as "SSL between httpd and JBossWeb". What are these connections? Is the first one for clients requests and the second one for MCMP messages and advertising?
Thank you!
-
3. Re: SSL and mod_cluster - Security and topology questions
rylphs Jun 10, 2013 9:14 AM (in response to rylphs)Hello,
I got it working with the folowing configuration:
Listen 192.168.1.1:6666
CreateBalancers 1
<VirtualHost 192.168.1.1:6666>
ServerName 192.168.1.1
EnableMCPMReceive
<Directory />
Order deny,allow
Deny from all
Allow from 192.168.1.
</Directory>
<Location /mod_cluster-manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 192.168.1.
</Location>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ServerAdvertise On http://192.168.1.1:6666
AllowDisplay On
ManagerBalancerName group1
</VirtualHost>
<VirtualHost 10.100.130.35:443>
ServerName 10.100.130.35
ProxyPass / balancer://group1 stickysession=JSESSIONID|jsessionid nofailover=On
ProxyPassReverse / balancer://group1
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>
In that way, although the connection between balancer and JBoss instances is not secured, it is using a different network than the clients and balancer. What do you think about this scenario?
-
4. Re: SSL and mod_cluster - Security and topology questions
jfclere Jun 14, 2013 8:55 AM (in response to rylphs)that looks OK.
-
5. Re: SSL and mod_cluster - Security and topology questions
rylphs Jun 14, 2013 12:55 PM (in response to jfclere)Thanks Jean,
It wasn't clear to me how mod-cluster chooses the interface that will answer for http requests going to jboss instances. Now I understand that CreateBalancers, ProxyPass and ProxyPassReverse control that. I Just don't understand what exactly "CreateBalancers 2" does. The mod-cluster doc says: "Create only the main server". What does it mean with "main server" ?
-
6. Re: SSL and mod_cluster - Security and topology questions
jfclere Jun 18, 2013 8:33 AM (in response to rylphs)1 of 1 people found this helpfulmain server is the server processing requests that don't belong to any VirtualHost it is always there the VirtualHost are child of him.
-
7. Re: SSL and mod_cluster - Security and topology questions
rylphs Jun 18, 2013 10:09 AM (in response to jfclere)Thanks Jean, this answer my question.