1 2 Previous Next 15 Replies Latest reply on Aug 23, 2010 9:21 AM by Paul Ferraro

    How to use mod_cluster from DMZ?

    Ned Hanks Newbie

      Is there a way to use mod_cluster from with in a DMZ?

       

      Our webservers access the application servers(Jboss 5.0) through a firewall with a  NAT address.  When the application server sends updates to mod_cluster the webserver is seeing the actually IP address not the NAT ip address, unless I missed a config option.

       

      Thanks

      Ned

        • 1. Re: How to use mod_cluster from DMZ?
          Jean-Frederic Clere Master

          You mean that the Host part of the CONFIG message contains an IP httpd can't reach because of the NAT, do you?

          (See http://community.jboss.org/wiki/Mod-ClusterManagementProtocol for the CONFIG description).

          • 2. Re: How to use mod_cluster from DMZ?
            Jean-Frederic Clere Master
            use address="hostname" in the <Connector/> and have hostname resolved differently in httpd and AS nodes.
            • 3. Re: How to use mod_cluster from DMZ?
              Ned Hanks Newbie

              Finally was able to get back to this.

               

              Now I am getting errors:

               

              Jboss log: (multiple of these)

              06-14 23:31:58 ER [org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Error [null: null: {4}] sending command INFO to proxy 192.168.82.39:80, configuration will be reset

               

              apache error log: (loglevel set to debug)

              [Mon Jun 14 23:32:08 2010] [debug] mod_manager.c(1416): manager_trans INFO (/)
              [Mon Jun 14 23:32:08 2010] [error] [client 192.168.82.188] client denied by server configuration: /
              [Mon Jun 14 23:32:08 2010] [debug] mod_proxy_cluster.c(1118): proxy: byrequests balancer FAILED
              [Mon Jun 14 23:32:08 2010] [error] proxy: CLUSTER: (balancer://p42devbalancer). All workers are in error state

               

              Configuration:

               

              appserver idlapp3 -> wdlint2 ip 192.168.82.39

              webserver wdlint2 -> idlapp3 ip 192.168.82.188

               

              Jboss started with -b wdlint2

               

              mod-cluster-jboss-beans.xml:

              ...

                  <property name="proxyList">wdlint2:80</property>
                  <!-- <property name="proxyList">${jboss.modcluster.proxyList:}</property> -->
                  <!-- URL prefix to send with commands to mod_cluster.  Default is no prefix. -->
                  <!--property name="proxyURL"></property-->
                  <!-- mod_advertise is a small httpd module that advertises the
                       availability of httpd servers via multicast, allowing
                       ModClusterService to discover the httpd front-end instead of
                       (or in addition to) having them defined in proxyList. -->
                  <!-- Whether to listen for advertise messages -->
                  <property name="advertise">false</property>
                  <!-- Multicast address on which to listen for advertisements -->
                  <property name="advertiseGroupAddress">${jboss.modcluster.advertise.address,jboss.partition.udpGroup:224.0.1.105}</property>
                  <!-- Port to listen to for advertisements -->
                  <property name="advertisePort">${jboss.modcluster.advertise.port:23364}</property>

               

                  <!-- Comma delimited list of contexts that should *not* be auto-registered with httpd. -->
                  <!-- ROOT indicates the root context. -->
                  <!-- Context may be qualified by host using a colon, e.g. host1:context1 -->
                  <!-- If no host is defined, localhost is assumed. -->
                  <property name="excludedContexts">${jboss.modcluster.excludedContexts:ROOT,admin-console,invoker,jbossws,jmx-console,juddi,w
              eb-console}</property>

               

                  <!-- Security key the proxy is going to send with advertise messages.
                       Default is none. -->
                  <!--property name="advertiseSecurityKey"></property-->

               

                  <!-- Whether to use SSL to communicate with mod_cluster. Note this
                       has nothing to do with handling of https requests by JBoss Web -->
                  <property name="ssl">false</property>

               

                  <!-- Configuration values for the load balancer itself (must be the
                       same on all nodes in the cluster). These will be passed to the
                       load balancer. -->
                  <property name="stickySession">true</property>
                  <property name="stickySessionForce">true</property>
                  <property name="stickySessionRemove">false</property>
                  <property name="maxAttempts">2</property>
                  <property name="workerTimeout">-1</property>
                  <property name="balancer">P42DevBalancer</property>

              ...

               

              httpd.conf:

              ...

              LoadModule proxy_module modules/mod_proxy.so
              LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

              LoadModule slotmem_module modules/mod_slotmem.so
              LoadModule manager_module modules/mod_manager.so
              LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
              LoadModule advertise_module modules/mod_advertise.so

               

              CreateBalancers 0

               

              NameVirtualHost *:80

               

              <VirtualHost *:80>
                  ServerName wdlint2.octanner.com
                  ServerAdmin xxxx@xxxx.com
                  DocumentRoot /usr/local/apache2.2/htdocs
                  ErrorLog "|/usr/local/apache2.2/bin/rotatelogs /usr/local/apache2.2/logs/wdlint2-error_log_%Y_%m_%d 86400 -420"
                  CustomLog "|/usr/local/apache2.2/bin/rotatelogs /usr/local/apache2.2/logs/wdlint2-access_log_%Y_%m_%d 86400 -420" combined

               

                  ManagerBalancerName P42DevBalancer

               

                  ProxyPass / balancer://P42DevBalancer/

              ...

              </VirtualHost>

               

              Thanks

              Ned

              • 4. Re: How to use mod_cluster from DMZ?
                Ned Hanks Newbie

                Oops

                 

                mod_cluster v1.0.3GA

                • 5. Re: How to use mod_cluster from DMZ?
                  Jean-Frederic Clere Master
                  [Mon Jun 14 23:32:08 2010] [error] [client 192.168.82.188] client denied by server configuration: /

                  You need to allow  192.168.82.188. Something like:

                     <Directory />
                        Order deny,allow
                        Deny from all
                        Allow from 192.168.82.188
                     </Directory>
                  • 6. Re: How to use mod_cluster from DMZ?
                    Ned Hanks Newbie

                    Thanks for your reply.

                     

                    Setting address="idlapp3" did not help.

                     

                    Jboss/mod_cluster sends the IP address to Apache/mod_cluster.

                     

                    appserver: idlapp3 ip 172.29.70.85 nat ip 192.168.82.188

                     

                    Apache errorlog:

                    [Tue Jun 15 11:18:04 2010] [debug] mod_manager.c(1929): manager_handler CONFIG (/) processing: "JVMRoute=p42_3_0&Port=8009&Balancer=P42DevBalancer&Host=172.29.70.85&Type=ajp&Maxattempts=2"
                    [Tue Jun 15 11:18:04 2010] [debug] mod_manager.c(1970): manager_handler CONFIG  OK
                    [Tue Jun 15 11:18:05 2010] [debug] mod_proxy_cluster.c(232): Created: reusing worker for ajp://172.29.70.85:8009
                    [Tue Jun 15 11:18:05 2010] [debug] mod_proxy_cluster.c(306): proxy: initialized worker 1 in child 11722 for (172.29.70.85) min=0 max=25 smax=25

                    ...

                    [Tue Jun 15 11:18:14 2010] [debug] proxy_util.c(2444): proxy: ajp: fam 2 socket created to connect to 172.29.70.85
                    [Tue Jun 15 11:18:20 2010] [error] (111)Connection refused: proxy: ajp: attempt to connect to 172.29.70.85:8009 (172.29.70.85) failed
                    [Tue Jun 15 11:18:20 2010] [error] ap_proxy_connect_backend disabling worker for (172.29.70.85)
                    [Tue Jun 15 11:18:20 2010] [debug] mod_proxy_cluster.c(1259): proxy_cluster_try_pingpong: can't connect to backend
                    [Tue Jun 15 11:18:20 2010] [debug] proxy_util.c(2029): proxy: ajp: has released connection for (172.29.70.85)
                    [Tue Jun 15 11:18:20 2010] [debug] mod_proxy_cluster.c(1333): proxy_cluster_isup: pingpong failed

                     

                     

                    Again, thank you for all your help.

                    • 7. Re: How to use mod_cluster from DMZ?
                      Jean-Frederic Clere Master
                      Tue Jun 15 11:18:20 2010] [error] (111)Connection refused: proxy: ajp:  attempt to connect to 172.29.70.85:8009 (172.29.70.85) failed

                      You need to "open" 8009 in the firewall between httpd and jboss or make sure  that 172.29.70.85 is a valid address for the jboss box in the httpd box.

                      • 8. Re: How to use mod_cluster from DMZ?
                        Ned Hanks Newbie

                        I can not open 172.29.70.85 on the webserver, that IP address is on the other side of the firewall.  The NAT ip address for the Jboss server is 192.168.82.188.

                         

                        Is there anyway to get Jboss/mod_cluster to send the NAT ip address or hostname to apache/mod_cluster?

                         

                        Thanks for your help.

                         

                        Ned

                        • 9. Re: How to use mod_cluster from DMZ?
                          Jean-Frederic Clere Master

                          You should configure the boxes so that the hostname solves 192.168.82.188 on the httpd box and 172.29.70.85 on the jboss one.

                          • 10. Re: How to use mod_cluster from DMZ?
                            Ned Hanks Newbie

                            Hostname, idlapp3, does resolve to correct IP address on each box.  What I have found is that jboss/mod_cluster always sends IP address to apache.  I have tried setting address="idlapp3".  Setting to address=192.168.82.188 causes jbossweb to not work because 192.168.82.188 is not a valid ip address on the jboss server.

                             

                            I will try again. I will capture the CONFIG message and post here.

                             

                            Thanks

                            Ned

                            • 11. Re: How to use mod_cluster from DMZ?
                              Ned Hanks Newbie

                              Eveything I try still gets just IP address sent to apache.

                               

                              [Wed Jun 16 10:33:13 2010] [debug] mod_manager.c(1416): manager_trans CONFIG (/)
                              [Wed Jun 16 10:33:13 2010] [debug] mod_manager.c(1929): manager_handler CONFIG (/) processing: "JVMRoute=p42_3_0&Port=8009&Balancer=P42DevBalancer&Host=172.29.70.85&Type=ajp&Maxattempts=2"
                              [Wed Jun 16 10:33:13 2010] [debug] mod_manager.c(1970): manager_handler CONFIG  OK

                               

                              Thanks

                              Ned

                              • 12. Re: How to use mod_cluster from DMZ?
                                Rui Alves Newbie

                                Is there a solution for this issue? I just can't make mod_cluster to work when there is a NAT between apache balancer and jboss cluster. Is there way to force jboss to send the hostname and not the IP Adress in the CONFIG post to httpd?

                                 

                                By the way, i'm using jboss eap 5.0.1 with mod_cluster 1.0.3.GA.

                                 

                                Best Regards,

                                • 13. Re: How to use mod_cluster from DMZ?
                                  Ned Hanks Newbie

                                  I have not found a fix yet.

                                   

                                  Next week I am planning on trying mod_cluset 1.1.3CR1.  I will post here my findings.

                                  • 14. Re: How to use mod_cluster from DMZ?
                                    Rui Alves Newbie

                                    Hi,

                                     

                                    Based on jira MODCLUSTER-168, I replaced getHostAddress() to getHostName() in method getAddress located at Utils.java source. I rebuild mod_cluster 1.0.3GA and it works!

                                     

                                    I have to be carefull with reverse address lookups when setting up connector bindings, but with my network configuration works flawless.

                                     

                                    Best Regards,

                                     

                                    Rui Alves

                                    1 2 Previous Next