6 Replies Latest reply on Sep 9, 2016 3:05 PM by eduarddedu

    Access to the management layer from a remote host

    eduarddedu
    eduarddedu Aug 16, 2016 10:36 AM

      I have installed Wildfly on a virtual private server and I would like to control it from my personal computer. The two machines do not share the same network.


      This is how I'm using Wildfly at the moment.

       

      To start Wildfly I need to ssh into the remote server and invoke the standalone script (prefixing with nohup so the Java process isn't killed after I disconnect from the shell). Additionally, to access the admin page in my browser I need to whitelist all IPs with the -b switch.


      $ nohup ./standalone.sh -bmanagement 0.0.0.0


      This feel a little awkward and not very secure. I don't want the management console to be accessible from all IPs (even with password protection enabled). 

       

      Is there a way to configure Wildfly so that only specific external IPs can access the management layer? I tried passing an external IP with the -b option:

       

      ./standalone.sh -bmanagement=_external_ip_address

       

      but Wildfly doesn't like it and starts with errors.

       

      Any help would be greatly appreciated, thanks




      • 1489 Views
      • Tags:
        • 1. Re: Access to the management layer from a remote host
          dlofthouse
          dlofthouse Aug 16, 2016 11:59 AM (in response to eduarddedu)

          If you can connect over SSH why not just tunnel over SSH?

            • Actions
          • 2. Re: Access to the management layer from a remote host
            emag
            emag Aug 16, 2016 1:47 PM (in response to eduarddedu)

            "-bmanagement=_external_ip_address" should be supported as well as you can pass 0.0.0.0.

             

            What's  the error message you got?

              • Actions
            • 3. Re: Access to the management layer from a remote host
              mchoma
              mchoma Aug 16, 2016 3:10 PM (in response to eduarddedu)

              Eduard, I think there is misunderstanding of -bmanagement option from your side. It is saying which IP wildfly listen on. So if you set -bmanagement=_external_ip_address and _external_ip_address is ip of your personal computer - it can't work. By saying -bmanagement=0.0.0.0 wildfly will listen on all interfaces of virtual private server.

               

              So I would recommend to not specify -bmanagement, what is effectivelly equivalent to -bmanagement=127.0.0.1 - that allows only local acces and as Darran said utilize SSH tunnel.

                • Actions
              • 4. Re: Access to the management layer from a remote host
                eduarddedu
                eduarddedu Aug 17, 2016 5:48 AM (in response to eduarddedu)

                Thank you all for your comments.

                 

                Martin Chome, Daren Lofthouse, you are probably right. Its become increasingly clear to me that I should study the documentation more closely to figure this one out (and general topics like socket binding / ssh port forwarding)

                 

                Yoshimasa Tanabe, the error is something along the lines of "Failed to start service network.management ... failed to resolve interface management"

                  • Actions
                • 5. Re: Access to the management layer from a remote host
                  emag
                  emag Aug 17, 2016 6:48 AM (in response to eduarddedu)

                  if it was like the following log, _external_ip_address you passed is invalid. please check the machine NIC ip address.

                  ----

                  02:47:47,638 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service jboss.network.management: org.jboss.msc.service.StartException in service jboss.network.management: WFLYSRV0082: failed to resolve interface management

                      at org.jboss.as.server.services.net.NetworkInterfaceService.start(NetworkInterfaceService.java:91)

                      at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)

                      at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)

                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

                      at java.lang.Thread.run(Thread.java:745)

                  ---

                   

                  ofc, you can choose ssh tunneling(and not passing -bmanagement, keep bounded with localhost) as Marin and Daren said. it's up to your use case.

                    • Actions
                  • 6. Re: Access to the management layer from a remote host
                    eduarddedu
                    eduarddedu Sep 9, 2016 3:05 PM (in response to eduarddedu)

                    Port forwarding works and it's super easy to set up. This command, run from the local machine, will do the trick:

                     

                    ssh -L 9990:localhost:9990 [user@]hostname

                     

                    It is then possible to access the admin console in the browser by going to http://localhost:9990/console/App.html

                     

                    Hope it helps someone else.

                      • Actions