1 2 Previous Next 29 Replies Latest reply on Jan 3, 2017 3:46 AM by mchoma

    How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04

    darckyn

      Hi there.

       

      I'm trying to make the wildfly work on ubuntu in production.

       

      I was able to make it work with its standard 8080 and 8443 ports, and managed to redirect ports 80 to 8080 and 443 to 8443 using iptables from ubuntu.

       

      But when performing this redirection, the page opens in https but the h2 protocol (HTTP / 2) and gzip do not work. If I go direct in the standard wildfly protocol (www.example.com:8443) gzip and h2 work perfectly.

       

      Here is the iptables redirect command:

       

      Iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT --to-port 8080

       

      Iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 443 -j REDIRECT --to-port 8443

       

       

      I've tried using nginx to do the redirect and the same problem happens. I also tried configuring wildfly to use port 80 and 443 directly but Ubuntu does not allow it.

       

      I have the following status in firewall: https://i.stack.imgur.com/7lppo.png

       

      If there is a way to make the wildfly in port 80 and 443 or make the redirect work in h2 and gzip, it will be awesome!

       

      System:

       

      Ubuntu : 16.04.1

      Wildfly : 10.1.0.Final

       

      Please help me solve this problem.

       

      Thank you very much.

        • 1. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
          mchoma

          I also tried configuring wildfly to use port 80 and 443 directly but Ubuntu does not allow it.

          Does that mean there is already bind process to ports 80 and 443 (some web server; e.g. Apache)? You can stop that process, as you are stealing traffic for ports 80/443, anyway.

          1 of 1 people found this helpful
          • 2. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
            mayerw01

            Port numbers less than 1024 are reserved for use by privileged processes on UNIX (see also Running JBoss on Port 80 or 443 )

            1 of 1 people found this helpful
            • 3. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
              ctomc

              What does your selinux say?

               

              /var/log/audit.log?

              1 of 1 people found this helpful
              • 4. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                darckyn

                Hi Wolfgang Mayer.

                 

                I already tried to do what is in the link but it does not work in wildfly 10 (besides the tutorial is old).

                Please could you instruct me in making wildfly use ports 80 and 443 using Unix administrative users ???

                 

                Thx.

                • 5. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                  darckyn

                  Hi Martin Choma.

                   

                  I do not have any other server / application / service running on port 80 or 443, just the wildfly, but should I have?

                  Should I use a server like nginx or apache to do the redirect to wildfly and solve this problem?

                  And if I should use, how do I configure this additional server and the wildfly?

                   

                  Thx.

                  • 6. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                    darckyn

                    Hi Tomaz Cerar.

                     

                    Here is some info of my log:

                     

                    Line 527: Dec 19 11:46:24 server-app-ny1 sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/ufw allow 8080

                      Line 1603: Dec 20 10:06:29 server-app-ny1 sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/sbin/iptables -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

                      Line 3937: Dec 21 10:19:33 server-app-ny1 sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/sbin/iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080

                      Line 4385: Dec 21 13:49:57 server-app-ny1 sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/sbin/iptables -A PREROUTING -t nat -p all --dport 80 -j REDIRECT --to-port 8080

                     

                    Line 425: Dec 19 11:21:04 server-app-ny1 sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/ufw allow 8443

                      Line 434: Dec 19 11:21:43 server-app-ny1 sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/ufw allow 8443

                      Line 3940: Dec 21 10:19:55 server-app-ny1 sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/sbin/iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8443

                     

                     

                    If you need more information please do not hesitate to ask.

                     

                    Thx.

                    • 7. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                      mayerw01

                      It is true that the above document is pretty old. But neverthess this statemen is still true: You need to run the process as privileged user (root) if you want to use ports less than 1024. Otherwise you will get a java.net.SocketException: Permission denied. It looks like this is required by W3C (Privileged Ports ):

                      "The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you."

                       

                      To test this and run wildfly as privileged user is quite easy.

                      Just enter:

                       

                      sudo ${pathToWildFly}/bin/standalone.sh

                      • 8. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                        darckyn

                        Hi Wolfgang Mayer

                         

                        Thank you very much for responding.

                         

                        I'm having a lot of trouble making the wildfly access port 80 and 443 ...

                         

                        I have now tried your command and even then the ports 80 and 443 have been denied.

                        I followed a tutorial to install wildfly as a service and would like to know how do I run this service with access to the privileged ports?

                         

                        Here is the tutorial (unfortunately the page I was staying in I could not find and the author of the tutorial):

                         

                        -----------------------------------------------------------------

                         

                        These are my notes for installing JBoss WildFly 10.0.0.Final

                         

                         

                        Elevate to root:

                        sudo -s

                         

                         

                        Install Java JDK 8:

                        aptitude update

                        aptitude install --with-recommends software-properties-common

                        add-apt-repository ppa:webupd8team/java

                        aptitude update

                        aptitude --with-recommends install oracle-java8-installer vim

                         

                         

                        Verify your java install

                        java -version

                         

                         

                        Should get out put of something like

                        java version "1.8.0_72"

                        Java(TM) SE Runtime Environment (build 1.8.0_72-b15)

                        Java HotSpot(TM) 64-Bit Server VM (build 25.72-b15, mixed mode

                         

                         

                        Create a user acount on the system for wildfly:

                        adduser --no-create-home --disabled-password --disabled-login wildfly

                         

                         

                        Download WildFly:

                        cd /srv

                        wget --tries=0 --continue http://download.jboss.org/wildfly/10.0.0.Final/wildfly-10.0.0.Final.tar.gz

                         

                         

                        Extract WildFly:

                        tar -xzvf wildfly-10.0.0.Final.tar.gz

                         

                         

                        Make a symbolic link to new folder:

                        ln -s wildfly-10.0.0.Final wildfly

                         

                         

                        Change ownership of directory and symbolic link to wildfly:

                        chown -R wildfly.wildfly wildfly*

                         

                         

                        Now, while WildFly 10 doesn’t ship as a .deb (which would be awesome!) it does provide a sample init script to get you going on Debian like/based systems of which Ubuntu is one. So, let’s copy that script to the /etc/init.d directory:

                        cp /srv/wildfly/docs/contrib/scripts/init.d/wildfly-init-debian.sh /etc/init.d/wildfly

                         

                         

                        Run update-rc.d to ensure wildfly starts on reboot:

                        update-rc.d /etc/init.d/wildfly defaults

                         

                         

                        And, copy the wildfly.conf file to /etc/default:

                        cp /srv/wildfly/docs/contrib/scripts/init.d/wildfly.conf /etc/default/wildfly

                        cd /etc/default

                         

                         

                        Edit the file that contains the settings/options for the setup script:

                        vi wildfly <– Or, editor of your choice

                         

                         

                        Uncomment and/or Edit the following lines:

                        JBOSS_HOME="/srv/wildfly"

                        JBOSS_USER=wildfly

                        JBOSS_MODE=standalone

                        JBOSS_CONFIG=standalone-full.xml — Change configuration file name in order to run full Java EE 7 Stack

                        STARTUP_WAIT=120 –Probably overkill wait time

                        SHUTDOWN_WAIT=120 –Probably overkill wait time

                        JBOSS_CONSOLE_LOG="/var/log/wildfly/console.log"

                         

                         

                        Try out the init.d and wildfly.conf settings and make sure the service can start:

                        service wildfly start

                         

                         

                        Shut the wildfly service down and lets make some edits/customizations:

                        service wildfly stop

                        cd /srv/wildfly/standalone/configuration

                        cp standalone-full.xml standalone-full.xml.original #<– Always backup before edits!

                         

                         

                        By default WildFly seems to only listen on 127.0.0.1. To make it listen on all interfaces we have to edit the standalone-full.xml (recall we are using the standalone-full.xml per the /etc/default/wildfly configuration file above) file and change each instance of “127.0.0.1” to “0.0.0.0” in the file. Just use find and replace in your editor to do this. I use vim so…

                         

                         

                        vi standalone-full.xml

                        :%s/127.0.0.1/0.0.0.0/g

                        :wq

                         

                         

                        Start or restart Wildfly

                        service wildfly start

                         

                         

                        With WildFly running add a “Management User” and remember your credentials!!!

                        cd /srv/wildfly/bin

                        ./add-user.sh

                         

                         

                        That’s it. You now have a basic WildFly 10 install and can reach it and configure further with any browser using the “Management User” credentials you setup above.

                        http://yourserver:9990/

                        • 9. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                          mayerw01

                          Hi Rodrigo,

                           

                          I am not sure understanding your issue correctly. But I cannot believe thay you really get an access denied when starting standalone.sh as superuser root.

                          What exactly did you do and which errors did you get?

                          There are quite a few pages in the internet which explain how to install Wildfly as a service. But I'd suggest to refer to your $JBOSS_HOME/docs/contrib/scripts/ directory.

                          The set up is almost self explaining. Where do you run into trouble?

                          You have usually 2 options:

                          1. install WildFly as a systemd service via  systemctl
                          2. install WildFly under control of init

                          When using systemd you probably need to change the user in the /etc/systemd/system/wildfly.service to 'root'.

                          As mentioned in the start script the process must be started via the root like

                               sudo service wildfly start

                           

                          Regards

                          Wolfgang

                          1 of 1 people found this helpful
                          • 10. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                            darckyn

                            Hi Wolfgang.

                             

                            thx for the help

                             

                            I managed to run the server directly on ports 8080 and 443 using sistemd (init.d could not be done on port 80 and 443).

                             

                            But I still have the initial problem, which is http2 and gzpi that do not work if I use port 443.

                            I thought if I directed the wildfly directly to port 443 it would work but that was not the case.

                             

                            On port 8443 http2 and gzip work, but in the port 443 it does not work.

                             

                            Is it missing any configuration in wildfly or ubuntu?

                             

                            Here is the standalone-full.xml server configuration (I use the full configuration rather than the default).

                             

                            STANDALONE-FULL.XML

                            ....

                             

                            <security-realm name="ApplicationRealm">

                                            <server-identities>

                                                <ssl>

                                                    <keystore path="letsencrypt.jks" relative-to="jboss.server.config.dir" keystore-password="log1me2in3"/>

                                                </ssl>

                                            </server-identities>

                                            <authentication>

                                                <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

                                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                                            </authentication>

                                            <authorization>

                                                <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                                            </authorization>

                                        </security-realm>

                             

                            .....

                             

                             

                            <subsystem xmlns="urn:jboss:domain:undertow:3.1">

                                        <buffer-cache name="default"/>

                                        <server name="default-server">

                                            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>

                                            <https-listener name="https" socket-binding="https" secure="true" security-realm="ApplicationRealm" enable-http2="true"/>

                                            <host name="default-host" alias="localhost">

                                                <location name="/" handler="welcome-content"/>

                                                <filter-ref name="custom-max-age" predicate="path-prefix('/javax.faces.resource/') or path-suffix('.js') or path-suffix ('.js.xhtml') or path-suffix ('.json') or  path-suffix ('.json.xhtml') or path-suffix ('.html') or path-suffix ('.css') or path-suffix ('.css.xhtml') or  path-suffix ('.jpg') or path-suffix ('.jpg.xhtml') or path-suffix ('.jpeg') or path-suffix ('.jpeg.xhtml') or path-suffix ('.png') or path-suffix ('.png.xhtml') or path-suffix ('.gif') or path-suffix ('.gif.xhtml') or path-suffix ('.eot') or path-suffix ('.eot.xhtml') or path-suffix ('.ttf') or path-suffix ('.ttf.xhtml') or path-suffix ('.woff') or path-suffix ('.woff.xhtml') or path-suffix ('.woff2') or path-suffix ('.woff2.xhtml')"/>

                                                <filter-ref name="gzipFilter" predicate="exists('%{o,Content-Type}') and regex(pattern='(?:application/javascript|text/css|text/html|text/xml|application/json)(;.*)?', value=%{o,Content-Type}, full-match=true)"/>

                                                <filter-ref name="Vary-header"/>

                                                <filter-ref name="server-header"/>

                                                <filter-ref name="x-powered-by-header"/>

                                            </host>

                                        </server>

                                        <servlet-container name="default" allow-non-standard-wrappers="true" default-encoding="UTF-8" use-listener-encoding="true">

                                            <jsp-config/>

                                            <websockets/>

                                        </servlet-container>

                                        <handlers>

                                            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>

                                        </handlers>

                                        <filters>

                                            <response-header name="custom-max-age" header-name="Cache-Control" header-value="max-age=64800000, public"/>

                                            <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>

                                            <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

                                            <response-header name="Vary-header" header-name="Vary" header-value="Accept-Encoding"/>

                                            <gzip name="gzipFilter"/>

                                        </filters>

                                    </subsystem>

                             

                            .....

                             

                             

                            <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

                                    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

                                    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>

                                    <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>

                                    <socket-binding name="http" port="${jboss.ajp.port:80}"/>

                                    <socket-binding name="https" port="${jboss.ajp.port:443}"/>

                                    <socket-binding name="iiop" interface="unsecure" port="3528"/>

                                    <socket-binding name="iiop-ssl" interface="unsecure" port="3529"/>

                                    <socket-binding name="txn-recovery-environment" port="4712"/>

                                    <socket-binding name="txn-status-manager" port="4713"/>

                                    <outbound-socket-binding name="mail-smtp">

                                        <remote-destination host="localhost" port="25"/>

                                    </outbound-socket-binding>

                                </socket-binding-group>

                             

                             

                             

                            JBOSS-WEB.XML:

                             

                            <?xml version="1.0" encoding="UTF-8"?>

                            <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee">

                              <context-root/>

                            </jboss-web>

                            • 11. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                              mayerw01

                              So is your problem not related to the privileged ports but to http/2?

                              If yes, which problems do you get and which JDK do you use?

                              According to the undertow page Using HTTP2 With Wildfly 9.0.0.Beta1 · JBoss Community  I understand that alpn neeeds to be installed separately since it is not supported in JDK8.

                              1 of 1 people found this helpful
                              • 12. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                                ctomc

                                Wolfgang Mayer wrote:

                                 

                                So is your problem not related to the privileged ports but to http/2?

                                If yes, which problems do you get and which JDK do you use?

                                According to the undertow page Using HTTP2 With Wildfly 9.0.0.Beta1 · JBoss Community I understand that alpn neeeds to be installed separately since it is not supported in JDK8.

                                That is no longer needed since 10.1.0.Final as long as you are using "supported" JDK.

                                1 of 1 people found this helpful
                                • 13. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                                  darckyn

                                  Thanks a lot for the help Wolfgang

                                   

                                  I just completed the tutorial but did not succeed to activate the http2 protocol.

                                   

                                  The java version I have is this:

                                  java-version.JPG

                                   

                                   

                                  And according to this page the alpn version would be at 8.1.9.v20160720:

                                  https://www.codatlas.com/github.com/eclipse/jetty.project/jetty-9.4.x/jetty-alpn/jetty-alpn-server/src/main/config/modules/alpn-impl/alpn-1.8.0_111.mod

                                   

                                   

                                  I tried to execute a command to see if it works but I have the following error:

                                  java-xboot.JPG

                                   

                                  And even with the setting inside the wildfly in standalone.conf it does not run on http2.

                                   

                                    JAVA_OPTS="-Xms128m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Xbootclasspath/p:$JBOSS_HOME/bin/alpn-boot-8.1.9.v20160720.jar"

                                  Please help me solve this problem.

                                   

                                  thx.

                                  • 14. Re: How to make Wildfly 10.1.0 work in port 80 and 443 (SSL) with h2 (HTTP/2) protocol in Linux Ubuntu 16.04
                                    darckyn

                                    Tomaz Cerar escreveu:

                                     

                                    Wolfgang Mayer wrote:

                                     

                                    So is your problem not related to the privileged ports but to http/2?

                                    If yes, which problems do you get and which JDK do you use?

                                    According to the undertow page Using HTTP2 With Wildfly 9.0.0.Beta1 · JBoss Community I understand that alpn neeeds to be installed separately since it is not supported in JDK8.

                                    That is no longer needed since 10.1.0.Final as long as you are using "supported" JDK.

                                     

                                    Hi Tomaz.

                                     

                                    Thanks for the help.

                                     

                                    What is the supported JDK?

                                    What version of java should I install in ubuntu?

                                     

                                    Remembering that if I use port 8443 instead of 443 in the browser (Chrome, Firefox, Edge, the respose is the same) then http2 works (I do not know why this happens).

                                    1 2 Previous Next