4 Replies Latest reply on Sep 14, 2017 2:32 PM by gir489

    Multiple IP/Multiple SSL configs lead to 404 on anything but main IP/SSL combo.

    gir489 Newbie

      I'm trying to implement SSL the same way we had it on JBoss 4, having it return a different SSL certificate based on the domain the user is coming from.

       

      I found the following tutorial on google: Programming Notes and Examples: Wildfly Multiple IP and Multiple SSL Certificate

       

      But whenever I attempt to access .81-.83, I get the SSL certificate back, but then I get a 404. It doesn't seem to be forwarding the request to our web.xml defined struts action. If I connect to it on .80, I get the mainsite SSL certificate, and everything works fine.

       

      Here are the relevant bits of standalone.xml:

       

      <?xml version='1.0' encoding='UTF-8'?>
      <server xmlns="urn:jboss:domain:4.0">
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <local default-user="$local" skip-group-loading="true"/>
                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
                  <security-realm name="ApplicationRealm">
                      <authentication>
                          <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization>
                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
                  <security-realm name="main">
                      <server-identities>
                          <ssl>
                              <keystore path="Keystores/mainhost.jks" relative-to="jboss.home.dir" keystore-password="testpassword"/>
                          </ssl>
                      </server-identities>
                  </security-realm>
                  <security-realm name="site1">
                      <server-identities>
                          <ssl>
                              <keystore path="Keystores/site1.jks" relative-to="jboss.home.dir" keystore-password="testpassword"/>
                          </ssl>
                      </server-identities>
                  </security-realm>
                  <security-realm name="site2">
                      <server-identities>
                          <ssl>
                              <keystore path="Keystores/site2.jks" relative-to="jboss.home.dir" keystore-password="testpassword"/>
                          </ssl>
                      </server-identities>
                  </security-realm>
                  <security-realm name="site3">
                      <server-identities>
                          <ssl>
                              <keystore path="Keystores/site3.jks" relative-to="jboss.home.dir" keystore-password="testpassword"/>
                          </ssl>
                      </server-identities>
                  </security-realm>
              </security-realms>
          </management>
          <profile>
              <subsystem xmlns="urn:jboss:domain:undertow:3.0" instance-id="supercoolwebsite" >
                  <buffer-cache name="default"/>
                  <server name="default-server">
                      <http-listener name="default" max-parameters="10000" socket-binding="http" redirect-socket="https" />
                      <https-listener name="https" max-parameters="10000" security-realm="main" socket-binding="https"/>
                      <host name="default-host" alias="localhost">
                          <access-log prefix="access." directory="./server/standalone/log"/>
                          <filter-ref name="404-handler" predicate="true"/>
                      </host>
                  </server>
                  <server name="site1_server">
                      <http-listener name="http_site1" max-parameters="10000" socket-binding="http_site1" redirect-socket="https_site1" />
                      <https-listener name="https_site1" max-parameters="10000" security-realm="site1" socket-binding="https_site1"/>
                      <host name="site1_host" alias="site1.com">
                          <access-log prefix="access." directory="./server/standalone/log"/>
                          <filter-ref name="404-handler" predicate="true"/>
                      </host>
                  </server>
                  <server name="site2_server">
                      <http-listener name="http_site2" max-parameters="10000" socket-binding="http_site2" redirect-socket="https_site2" />
                      <https-listener name="https-site2" max-parameters="10000" security-realm="site2" socket-binding="https_site2"/>
                      <host name="site2_host" alias="site2.com,www.site2.com">
                          <access-log prefix="access." directory="./server/standalone/log"/>
                          <filter-ref name="404-handler" predicate="true"/>
                      </host>
                  </server>
                  <server name="site3_server">
                      <http-listener name="http_site3" max-parameters="10000" socket-binding="http_site3" redirect-socket="https_site3" />
                      <https-listener name="https-site3" max-parameters="10000" security-realm="site3" socket-binding="https_site3"/>
                      <host name="site3_host" alias="site3.com">
                          <access-log prefix="access." directory="./server/standalone/log"/>
                          <filter-ref name="404-handler" predicate="true"/>
                      </host>
                  </server>
                  <servlet-container name="default" stack-trace-on-error="none">
                      <jsp-config development="true"/>
                      <websockets/>
                      <session-cookie secure="true" http-only="true" />
                  </servlet-container>
                  <filters>
                      <error-page name="404-handler" code="404" path="\static\html\404.html"/>
                  </filters>
              </subsystem>
          </profile>
          <interfaces>
              <interface name="management">
                  <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
              </interface>
              <interface name="public">
                  <inet-address value="${jboss.bind.address:127.0.0.1}"/>
              </interface>
              <interface name="public_site1">
                  <inet-address value="192.168.12.81"/>
              </interface>
              <interface name="public_site2">
                  <inet-address value="192.168.12.82"/>
              </interface>
              <interface name="public_site3">
                  <inet-address value="192.168.12.83"/>
              </interface>
          </interfaces>
          <socket-binding-group name="standard-sockets" default-interface="public">
              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
              <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
              <socket-binding name="http" port="${jboss.http.port:80}"/>
              <socket-binding name="https" port="${jboss.https.port:443}"/>
              <socket-binding name="http_site1" port="${jboss.http.port:80}" interface="public_site1" />
              <socket-binding name="https_site1" port="${jboss.https.port:443}" interface="public_site1"/>
              <socket-binding name="http_site2" port="${jboss.http.port:80}" interface="public_site2" />
              <socket-binding name="https_site2" port="${jboss.https.port:443}" interface="public_site2"/>
              <socket-binding name="http_site3" port="${jboss.http.port:80}" interface="public_site3" />
              <socket-binding name="https_site3" port="${jboss.https.port:443}" interface="public_site3"/>
          </socket-binding-group>
      </server>
      
        • 1. Re: Multiple IP/Multiple SSL configs lead to 404 on anything but main IP/SSL combo.
          jaikiran pai Master

          Robert Blody wrote:

           

           

           

          But whenever I attempt to access .81-.83, I get the SSL certificate back, but then I get a 404. It doesn't seem to be forwarding the request to our web.xml defined struts action.

          Can you paste one such complete URL you use to access, the complete 404 error message and the relevant part of the logs which shows the deployment context name of this deployment?

          • 2. Re: Multiple IP/Multiple SSL configs lead to 404 on anything but main IP/SSL combo.
            jaikiran pai Master

            One other thing, I think you probably are missing the part where you want to link your web application to a specific server configured in your undertow subsystem. You need something along the lines of:

             

            <jboss-web>

               <server-instance>the-name-of-the-server-you-configured-in-undertow-subsystem</server-instance>

            </jboss-web>

             

            in the jboss-web.xml of the deployments that need to use non-default server instances configured in the undertow subsystem.

            • 3. Re: Multiple IP/Multiple SSL configs lead to 404 on anything but main IP/SSL combo.
              gir489 Newbie

              It seems that server-instance has a maxOccurs of 1, so all I'd be able to do with this is just hijack .80 and make .81-.83 have it. That wouldn't solve the problem.

               

              I need all 4 IPs to point to the same project.

               

              I checked the log, and nothing was spat out when I went to request something from the url.

               

              Here's an example URL that I was using: https://192.168.12.81/

               

              It just returns 404 - Not Found to the page. It should be sending the user to my ¯\_(ツ)_/¯ 404 page, but it's not. I'm guessing the filter I declared can only be used for one server?

               

              When I connect to https://192.168.12.80/ it forwards me to my splash Struts action.

              • 4. Re: Multiple IP/Multiple SSL configs lead to 404 on anything but main IP/SSL combo.
                gir489 Newbie

                The solution was to instead of create multiple servers, add 6 more listeners to default-server that then use the seprate security-realm.

                 

                Like so:

                <server name="default-server">
                   <http-listener name="default" max-parameters="10000" socket-binding="http" redirect-socket="https" />
                   <https-listener name="https" max-parameters="10000" security-realm="main" socket-binding="https"/>
                   <http-listener name="http_site1" max-parameters="10000" socket-binding="http_site1" redirect-socket="https_site1" />
                   <https-listener name="https_site1" max-parameters="10000" security-realm="site1" socket-binding="https_site1"/>
                   <http-listener name="http_site2" max-parameters="10000" socket-binding="http_site2" redirect-socket="https_site2" />
                   <https-listener name="https_site2" max-parameters="10000" security-realm="site2" socket-binding="https_site2"/>
                   <http-listener name="http_site3" max-parameters="10000" socket-binding="http_site3" redirect-socket="https_site3" />
                   <https-listener name="https_site3" max-parameters="10000" security-realm="site3" socket-binding="https_site3"/>
                   <host name="default-host" alias="localhost" >
                       <access-log prefix="access." directory="./server/standalone/log"/>
                       <filter-ref name="404-handler" predicate="true"/>
                   </host>
                </server>