7 Replies Latest reply on Dec 12, 2012 7:39 PM by Steven ONeill

    https URL weirdness

    Steven ONeill Newbie

      I've got mod cluster front two jboss app servers, semi-working.

       

      1)  Ocassionally getting the bad gateway/502 error - I think i read that there's a fix or a workaround for that.  I'll come back to this after I deal with 2)

       

      2)  More frustrating is trying to track down why when I hit https://webhost:port/context I get redirected to https://x.x.x.x:port/context.  Basically, I am being redirected from my web server proxy to the backend host, and that backend hosts's ip becomes the new servername in the URL.   However, when I hit https://webhost:port/context/path - the URL remains unchanged.   I find this to be weird.

       

      I suspect I am missing an obvious configuration parameter.  Can anyone suggest some parameters to (re)review?

        • 2. Re: https URL weirdness
          Michal Karm Babacek Apprentice

          Hi Steven,

          ad 1), yes, it is: JBPAPP6-1170 , whereas the easiest solution for you would be to upgrade to mod_cluster 1.2.3.Final that has the fix included (the bug was in the native part).

          ad 2), this is weird indeed. Could you show me your config, so as I can proof read it?

           

          BTW: Ad 1) Are you 100% positive you need HTTPS between balancer and worker nodes? Isn't it enough to have client - balancer communication encrypted and use AJP for balancer - worker nodes communication (probably being on your trusted network)? Consider the performance overhead...

          1 of 1 people found this helpful
          • 3. Re: https URL weirdness
            Steven ONeill Newbie

            Thank you both for the responses.  I am in the process of trying out those suggestions now.  I had gotten distracted by other tasks.

             

             

            To add to the second point, if I include a trailing slash, ala, https://webhost:port/pathinstead of https://webhost:port/path, things work just fine. 

             

            I will try Jean-Frederic's suggestions first, then I will post the results along with my config.

             

            Michal - that is an important point about the performance overhead gains by terminating ssl earlier int he process.  In this case of sensitive data though, depending on various industry regulations, I believe, https/secure communication is required all the way through, even if its on the internal  trusted network, yes?

            • 4. Re: https URL weirdness
              Steven ONeill Newbie

              Okay, with the "ProxyPreserveHost On", I end up with this error:

               

              Not Found

               

              The requested URL <blah> was not found on this server.

               

               

              So I turned that off, and tried the proxy-host and proxy-port settings.   This worked to a degree.  Now when I hit https://webhost:port/context, I get back the same URL and expected content, but with an extra slash at the end of the URL: https://webhost:port/context/

               

               

              Here is my ssl config portion of my apache config:

               

              LoadModule ssl_module /opt/jboss/httpd_jbdc/modules/mod_ssl.so

              LoadModule slotmem_module /opt/jboss/httpd_jbdc/modules/mod_slotmem.so

              LoadModule manager_module /opt/jboss/httpd_jbdc/modules/mod_manager.so

              LoadModule proxy_cluster_module /opt/jboss/httpd_jbdc/modules/mod_proxy_cluster.so

              LoadModule advertise_module /opt/jboss/httpd_jbdc/modules/mod_advertise.so

               

               

               

               

              AddType application/x-x509-ca-cert .crt

              AddType application/x-pkcs7-crl    .crl

               

               

              SSLPassPhraseDialog  builtin

               

               

              SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)

              SSLSessionCacheTimeout  300

               

               

              SSLMutex default

               

               

              SSLRandomSeed startup file:/dev/urandom  256

              SSLRandomSeed connect builtin

               

               

              SSLCryptoDevice builtin

              #ProxyPreserveHost On

              SSLProxyEngine On

              SSLProtocol all -SSLv2

              SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

              SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

              SSLCertificateKeyFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.key

               

               

              NameVirtualHost 10.0.10.15:445

              MemManagerFile /var/cache/httpd

               

               

              Listen 6668

              <VirtualHost *:6668>

                  ManagerBalancerName jbdtdc

                  #ProxyPreserveHost On

               

               

                  SSLEngine on

                  SSLProxyEngine On

                  SSLProtocol all -SSLv2

                  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

                  SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                  SSLCertificateKeyFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.key

               

               

                  EnableMCPMReceive On

                  AdvertiseFrequency 5

                  ServerAdvertise off

                  CustomLog logs/ssl_request_modcluster_log \

                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

               

               

                  LogLevel debug

                  ErrorLog logs/ssl_error_modcluster_log

                  TransferLog logs/ssl_access_modcluster_log

              </Virtualhost>

               

               

              Listen 445

              <VirtualHost *:445>

                  KeepAliveTimeout 60

                  MaxKeepAliveRequests 0

                  ManagerBalancerName jbdtdc

               

               

                  #ProxyPreserveHost On

                  SSLEngine on

                  SSLProxyEngine On

                  SSLProtocol all -SSLv2

                  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

                  SSLCertificateFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

                  #SSLCertificateChainFile /opt/jboss/httpd_jbdc/conf/certs/wpweb1.crt

               

               

                  <Location />

                    Order deny,allow

                    Allow from all

                  </Location>

               

               

                  <Location /mcm>

                      SetHandler mod_cluster-manager

                      Order deny,allow

                      Allow from all

                  </Location>

               

               

                  CustomLog logs/ssl_request_log \

                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

               

               

                  ErrorLog logs/ssl_error_log

                  TransferLog logs/ssl_access_log

               

               

                  LogLevel debug

               

               

              </VirtualHost>

               

               

              Listen 80

              <VirtualHost *:80>

                  RewriteEngine on

                  RewriteCond  %{SERVER_PORT} !^445$

                  RewriteRule ^(.*) https://%{SERVER_NAME}:445%{REQUEST_URI}

              </VirtualHost>

              • 5. Re: https URL weirdness
                Jean-Frederic Clere Master

                are you sure for the extra / it might be you get a redirect to https://webhost:port/context/ for AS7?

                to check curl -v https://webhost:port/context

                • 6. Re: https URL weirdness
                  Jean-Frederic Clere Master

                  With the ProxyPreserveHost On where does the 404 comes from? from AS7?

                  • 7. Re: https URL weirdness
                    Steven ONeill Newbie

                    I ended up running "curl -v -k https://webhost:port/context", since we aren't using a ca cert.   It returns a 404 with or without the "/" at the end of the context.

                     

                    With ProxyPerserveHost On, I do not have record of where the 404 comes from.

                     

                    In any case, I ended getting sufficient use out of the current configuartion and have no need to troubleshoot further.  Thank you for the assistance provided!