4 Replies Latest reply on Aug 30, 2013 5:54 AM by rabmcgill

    mod_cluster httpd configuration

    rabmcgill

      Hi,

      I am trying to set up mod_cluster 1.2.4 on jboss-ews-2.0  -> eap 6.1 and I have some questions.

       

      1. The apache needs to accept http and https requests. Do I set up separate virtual hosts and proxy to the mod_cluster virtual host -

       

      Listen 80

      Listen 443

      Listen 6666

      <VirtualHost :80>
               ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=On
               ProxyPassReverse / balancer://mycluster
               ProxyPreserveHost On
      </VirtualHost>

       

      <VirtualHost :443>

       

      ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=On

      ProxyPassReverse / balancer://mycluster

       

      SSLEngine on

      SSLProtocol all -SSLv2

      SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

      SSLCertificateFile /opt/jboss-ews-2.0/httpd/conf.d/ssl.certs/s1b.internal.standardlife.com.crt

      SSLCertificateKeyFile /opt/jboss-ews-2.0/httpd/conf.d/ssl.key/s1b.internal.standardlife.com.key_nopassphrase

       

      SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

      <Files ~ "\.(cgi|shtml|phtml|php3?)$">

          SSLOptions +StdEnvVars

      </Files>

      <Directory "/var/www/cgi-bin">

          SSLOptions +StdEnvVars

      </Directory>

      </VirtualHost>

       


      <VirtualHost :6666>
               <Directory />
               Order deny,allow
               Deny from all
               #Allow from 127.0.0.1
               Allow from all
               </Directory>

       

               KeepAliveTimeout 60
               MaxKeepAliveRequests 0
               ManagerBalancerName mycluster
               ServerAdvertise On
               AdvertiseFrequency 5
               EnableMCPMReceive On

       

               <Location /mod_cluster-manager>
               SetHandler mod_cluster-manager
               Order deny,allow
               Deny from all
               #Allow from 127.0.0.1
               Allow from all
               </Location>
      </VirtualHost>

       

       

      This sort of works if I try to go to

      http://mydomain:6666/mod_cluster-manager it is fine

      but if I go to http://mydomain/mod_cluster-manager it fails with 500 error.

       

      If I go to a valid jboss application

      http://mydomain:80/ClusterWebApp/

      or

      https://mydomain:443/ClusterWebApp/

      it works

      But if I go to an invalid (missing) page e.g.

      https://mydomain:443/xxx

      Internal Server Error 500.

      I would like a nice 404 page, like I get if I go to http://mydomain:6666/xxx

       

       

      2. If the Apache is on a different box from the Applications Server should I restrict access to the 6666 port in the Allow directive for just the Jboss servers?

       

      3. If I were to secure the communication between httpd/mod_cluster and Jboss (via SSL) will both the HTTP and HTTPS be encrypted  to the back-end server. Is there any way to just have the HTTPS traffic encrypted and the HTTP unencrypted.

       

      Thanks.

      Rab.

        • 1. Re: mod_cluster httpd configuration
          rhusar

          Hey Rab, welcome to the forums!

           

          1. Different vhosts -- seems about right.

           

          nofailover=On

          What's the reason to disable high-availability?

           

          but if I go to http://mydomain/mod_cluster-manager it fails with 500 error.

          yeah, you dont want to expose that publicly!

           

          regarding 500, what are the error logs saying?

           

          2. correct, only allow from the JBoss servers addresses or range rather to be able to add nodes dynamically

           

          you can also add advertize security key to sign the advertisements

           

          3. not sure

          1 of 1 people found this helpful
          • 2. Re: mod_cluster httpd configuration
            rabmcgill

            Hi Radoslav,

            Thanks for the quick reply.

             

            1. nofailover=On, A mistake, thanks.

             

            In the error logs for the 500  -

            [Thu Aug 29 17:56:33 2013] [warn] proxy: No protocol handler was valid for the URL /xxx. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

             

            These are the modules I have

            grep ^Load /opt/jboss-ews-2.0/httpd/conf/httpd.conf

            LoadModule auth_basic_module /opt/jboss-ews-2.0/httpd/modules/mod_auth_basic.so

            LoadModule auth_digest_module /opt/jboss-ews-2.0/httpd/modules/mod_auth_digest.so

            LoadModule authn_file_module /opt/jboss-ews-2.0/httpd/modules/mod_authn_file.so

            LoadModule authn_alias_module /opt/jboss-ews-2.0/httpd/modules/mod_authn_alias.so

            LoadModule authn_anon_module /opt/jboss-ews-2.0/httpd/modules/mod_authn_anon.so

            LoadModule authn_dbm_module /opt/jboss-ews-2.0/httpd/modules/mod_authn_dbm.so

            LoadModule authn_default_module /opt/jboss-ews-2.0/httpd/modules/mod_authn_default.so

            LoadModule authz_host_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_host.so

            LoadModule authz_user_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_user.so

            LoadModule authz_owner_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_owner.so

            LoadModule authz_groupfile_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_groupfile.so

            LoadModule authz_dbm_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_dbm.so

            LoadModule authz_default_module /opt/jboss-ews-2.0/httpd/modules/mod_authz_default.so

            LoadModule ldap_module /opt/jboss-ews-2.0/httpd/modules/mod_ldap.so

            LoadModule authnz_ldap_module /opt/jboss-ews-2.0/httpd/modules/mod_authnz_ldap.so

            LoadModule include_module /opt/jboss-ews-2.0/httpd/modules/mod_include.so

            LoadModule log_config_module /opt/jboss-ews-2.0/httpd/modules/mod_log_config.so

            LoadModule logio_module /opt/jboss-ews-2.0/httpd/modules/mod_logio.so

            LoadModule env_module /opt/jboss-ews-2.0/httpd/modules/mod_env.so

            LoadModule ext_filter_module /opt/jboss-ews-2.0/httpd/modules/mod_ext_filter.so

            LoadModule mime_magic_module /opt/jboss-ews-2.0/httpd/modules/mod_mime_magic.so

            LoadModule expires_module /opt/jboss-ews-2.0/httpd/modules/mod_expires.so

            LoadModule deflate_module /opt/jboss-ews-2.0/httpd/modules/mod_deflate.so

            LoadModule headers_module /opt/jboss-ews-2.0/httpd/modules/mod_headers.so

            LoadModule usertrack_module /opt/jboss-ews-2.0/httpd/modules/mod_usertrack.so

            LoadModule setenvif_module /opt/jboss-ews-2.0/httpd/modules/mod_setenvif.so

            LoadModule mime_module /opt/jboss-ews-2.0/httpd/modules/mod_mime.so

            LoadModule dav_module /opt/jboss-ews-2.0/httpd/modules/mod_dav.so

            LoadModule status_module /opt/jboss-ews-2.0/httpd/modules/mod_status.so

            LoadModule autoindex_module /opt/jboss-ews-2.0/httpd/modules/mod_autoindex.so

            LoadModule info_module /opt/jboss-ews-2.0/httpd/modules/mod_info.so

            LoadModule dav_fs_module /opt/jboss-ews-2.0/httpd/modules/mod_dav_fs.so

            LoadModule vhost_alias_module /opt/jboss-ews-2.0/httpd/modules/mod_vhost_alias.so

            LoadModule negotiation_module /opt/jboss-ews-2.0/httpd/modules/mod_negotiation.so

            LoadModule dir_module /opt/jboss-ews-2.0/httpd/modules/mod_dir.so

            LoadModule actions_module /opt/jboss-ews-2.0/httpd/modules/mod_actions.so

            LoadModule speling_module /opt/jboss-ews-2.0/httpd/modules/mod_speling.so

            LoadModule userdir_module /opt/jboss-ews-2.0/httpd/modules/mod_userdir.so

            LoadModule alias_module /opt/jboss-ews-2.0/httpd/modules/mod_alias.so

            LoadModule rewrite_module /opt/jboss-ews-2.0/httpd/modules/mod_rewrite.so

            LoadModule proxy_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy.so

            LoadModule proxy_ftp_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy_ftp.so

            LoadModule proxy_http_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy_http.so

            LoadModule proxy_connect_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy_connect.so

            LoadModule cache_module /opt/jboss-ews-2.0/httpd/modules/mod_cache.so

            LoadModule suexec_module /opt/jboss-ews-2.0/httpd/modules/mod_suexec.so

            LoadModule disk_cache_module /opt/jboss-ews-2.0/httpd/modules/mod_disk_cache.so

            LoadModule cgi_module /opt/jboss-ews-2.0/httpd/modules/mod_cgi.so

            LoadModule proxy_cluster_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy_cluster.so

            LoadModule slotmem_module /opt/jboss-ews-2.0/httpd/modules/mod_slotmem.so

            LoadModule manager_module /opt/jboss-ews-2.0/httpd/modules/mod_manager.so

            LoadModule advertise_module /opt/jboss-ews-2.0/httpd/modules/mod_advertise.so

             

             

            2. Thanks.

             

            3. Not a big issue. thanks.

            • 3. Re: mod_cluster httpd configuration
              rhusar

              You are missing this module:

               

              LoadModule proxy_ajp_module /opt/jboss-ews-2.0/httpd/modules/mod_proxy_ajp.so

               

              (or change your EAP6 to use HTTP connector instead, but I would not recommend that)

              • 4. Re: mod_cluster httpd configuration
                rabmcgill

                Hi,

                Thanks for the suggestion but it looks like it is loaded -

                apachectl -t -D DUMP_MODULES

                Loaded Modules:

                ...

                proxy_ajp_module (shared)

                ...

                 

                And if I add it to httpd.conf I get in the error log -

                [Fri Aug 30 10:05:15 2013] [warn] module proxy_ajp_module is already loaded, skipping

                 

                 

                I have found this though

                http://googolflex.com/?p=492

                adding a trailing slash to the balancer -

                ProxyPass / balancer://mycluster/ stickysession=JSESSIONID|jsessionid

                ProxyPassReverse / balancer://mycluster/

                 

                My valid jboss application

                http://mydomain:80/ClusterWebApp/

                still works

                 

                And now I get a 503 if I go to a non-existant page (http://mydomain/xxx)

                 

                and in the logs

                [Fri Aug 30 10:30:13 2013] [error] proxy: CLUSTER: (balancer://mycluster). All workers are in error state

                 

                Slightly better than a 500! but a 403 would be better.

                 

                Any thoughts on what is going on here and how do I handle this in a more elegant way.