Wildfly Management Console behind AWS ALB

ceharris Sep 7, 2018 3:32 PM

I want to access the management console of a Wildfly 10 instance running behind an application load balancer on Amazon Web Services.

I can get as far as the authentication dialog, so I believe that all of the network plumbing is set up correctly. However, after entering the correct username and password for an adminstrative user, I get the message "Insufficient privileges to access this interface."

Running the same Wildfly configuration locally, it works fine -- I can log in and access the console.

After some digging around on Stack Overflow, I saw a post that mentioned the same issue when running the Management Console behind an Apache reverse proxy. The suggested fix was to use Apache's ProxyPreserveHost directive to pass the original Host header when forwarding the request. I staged this up locally using Apache httpd and was able to get the same "Insufficient privileges to access this interface" when running Apache as a reverse proxy in front of Wildfly, and indeed, adding the ProxyPreserveHost directive resolves the issue.

However, there is no such directive for a load balancer on AWS. Can someone explain the significance of the Host header in the management access decision making? Is there some other workaround to this issue?

1. Re: Wildfly Management Console behind AWS ALB

ceharris Sep 7, 2018 3:50 PM (in response to ceharris)

Of course, after posting... figured out that it was a CORS issue. Adding an allowed origin for the network that sits in between the load balancer and Wildfly solves this issue. Specifically:

/core-service=management/management-interface=http-interface:list-add(\
name=allowed-origins, value=${env.WILDFLY_MGMT_ALLOWED_ORIGIN})

I'm using the WILDFLY_MGMT_ALLOWED_ORIGIN environment variable to keep the specific address out of the Wildfly configuration as it is apt to change.

Hopefully this will help someone else.
Actions