6 Replies Latest reply on Feb 11, 2019 8:57 AM by ray_

Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

ray_ Feb 11, 2019 5:20 AM

I'm new to the wildfly world and this is my fist time that I use it in my courses and I'm trying to deploy during my traineeship in the work environment.

So I deployed wildfly to my server on a subdomain and Nginx is a reverse proxy.To secure my connection I forced wildfly to use https through 443 with a letsencrypt ssl certificate :

In the standalone.xml, I create an additional socket-binding entry. and I added a

<socket-binding name="https-external" port="443"/>

and I Changed the http-listener to redirect this https-external instead https.

It worked fine until the moment when I tried to access the admin console: I was unable to login.

I tried to modify the management-interfaces by adding a socket-binding with http="management-https"(and by default it uses the port 9993 for the management-https) but it didn't work. It looks that I'm missing something which I can't figure out.

the content of the "vhost" file of wildfly subdomain for ngnix is :

upstream wildflyadmin { 
server 127.0.0.1:9990; } 
upstream wildfly { 
server 127.0.0.1:8080; }
 server { 
server_name sub.domaine.com;  
access_log  /var/log/nginx/wildfly.access.log; error_log   
/var/log/nginx/wildfly.error.log;  
proxy_buffers 16 64k; proxy_buffer_size 128k;  
location / { proxy_pass http://wildfly; }  
location /dashadmin/ { proxy_pass http://wildflyadmin; }  
listen 443 ssl; # managed by Certbot ssl_certificate 
/etc/letsencrypt/live/domaine.com/fullchain.pem; # managed by Certbot 
ssl_certificate_key /etc/letsencrypt/live/domaine.com/privkey.pem; # managed by Certbot include 
/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot }

1. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

claudio4j Feb 11, 2019 6:52 AM (in response to ray_)

The management console in port http 9990 doesn't correlate to the undertow https-listener. If you configured the https-listener with ssl, the administration console is untouched and you should continue to use it with wildfly ip/hostname, not the nginx hostname as reverse proxy.
Actions
2. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

ray_ Feb 11, 2019 7:54 AM (in response to claudio4j)

when I use : netstat -tlnp
i got
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:9993          0.0.0.0:*               LISTEN      26630/java
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1382/mysqld
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      26630/java
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      24648/nginx -g daem
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      26630/java
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      24648/nginx -g daem

From the moment when I forced wildfly to use https through 443 every time that I try to connect to the admin console, i got an error message.
the 9990 port are close from outside the server.
Actions
3. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

dlofthouse Feb 11, 2019 8:02 AM (in response to ray_)

Are you sure the server is even starting? I suspect you are running as a user not allowed to bind to port 443 and causing the server start up to fail.
Actions
4. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

ray_ Feb 11, 2019 8:26 AM (in response to dlofthouse)

Absolutely yes! the server works fine! and I can access to the webapp
I forgot to mention that I closed ports 8080 and 8443.
I followed the tutorial in this link
wildfly/Interfaces_and_ports.adoc at 0f873236ffe8a0ea9dc78acbf3b18d4a59fbb98a · wildfly/wildfly · GitHub

using this piece of xml
<interfaces> <interface name="management"> <inet-address value="127.0.0.1"/> </interface> <interface name="public"> <inet-address value="127.0.0.1"/> </interface> </interfaces>

but I didn't touch any thing relate to the admin console.
Actions
5. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

dlofthouse Feb 11, 2019 8:40 AM (in response to ray_)

So what does your http-interface resource under management-interfaces presently look like? At the moment you do see to have something listening on 9993 but at the same time I assume you are not enabling SSL for the management interfaces?
Actions
6. Re: Can't access to admin console after forcing wildfly 14 to use ssl on the port 443

ray_ Feb 11, 2019 8:57 AM (in response to ray_)

I think that I found my mistake!
In the standalone file, the management console was listing to the 127.0.0.1, so the localhost instead of to 0.0.0.0 that way I was unable to access to it.
I happened when I used a backup standalone file where I didn't pay attention to the fact that it didn't allow outside access to the console.

I don't know how should proceed with this dump question, should I delete this post ?
I'm so embarrassed that I didn't pay attention to this simple config issue that I've already made during my previous tests.

Thanks every one!
Actions

Go to original post