7 Replies Latest reply on Jun 18, 2013 10:09 AM by Raphael Ferreira

    SSL and mod_cluster - Security and topology questions

    Raphael Ferreira Newbie

      Hello,

       

      I've just implemented JBoss7 in cluster with mod-cluster. Now I'm trying to configure ssl, but I have some questions:

      Where exactly do I have to apply the SSL? In the cluster I have something like that, right?

       

      clients <---> apache <--->jboss instances

       

      The mod_cluster doc says that there are two connections between JBoss and apache. What are these connections? Is it one for the http data and other for the mod_cluster working?

      How the data is served by apache? Does it just redirects the user to connect with jboss instances or does it take the response and delivers to the clients? In that case can I apply the SSL only between apache and requests or do I have to apply also between jboss and apache?

       

      Is there some way to get jboss and apache communicating in a different network than the clients and apache? Like having a private network between apache and jboss, and just letting apache being seen by outside the world.

       

      Sorry about this bunch of questions. I know that I am missing some concepts.

      Thank you, and sorry about my bad english!

        • 1. Re: SSL and mod_cluster - Security and topology questions
          Michal Karm Babacek Apprentice

          Hi Raphael,

           

          Your idea is generally correct, the communication can be described as follows:

           

          client's requests

          clients <--SSL--> balancer <--SSL--> workers

           

          MCMP messages (context configuration, load on each worker etc.)

          balancer <--SSL--> workers

           

          advertising (UDP multicast)

          balancer --> udp_address:port

           

          Let's take a look at the first two cases with which it makes sense to have encryption and authentication in place:

           

          • You need a CA, a server certificate and a client certificate. Jean described the process in the documentation and I managed to set it up just by following the steps, take a look: Creating CA, server and client certificates.
          • Your client, e.g. Firefox, has to have both CA and client certificate imported. One can test with curl as well:  curl https://raphibox:8888/st/session --cert Client/client.crt --key Client/client.key --cacert Client/myca.crt Optionally with --insecure in order to skip certificate validation.
          • Your balancer has to have something like this mod_cluster.conf in place. Note the SSLProxyEngine On.
          • Your AS7 workers have to be configured on two places: HTTPS connector (client's requests) and mod_cluster subsystem (MCMP communication). See this standalone-ha.xml configuration.

           

          HTH :-)

          1 of 1 people found this helpful
          • 2. Re: SSL and mod_cluster - Security and topology questions
            Raphael Ferreira Newbie

            Hello Michal,

             

            Thanks for your reply. And what if I have

             

            clients <--SSL--> balancer <--HTTP--> workers ?

             

            Although the connections between clients and balancer are'nt secured, the connection between the clients and balancer are, right? If its true I would like to go more further and have these two connections (clients-balancer and balancer-worker) in two different networks like:

             

            clients <--SSL(192.168.1.1)--> balancer <--HTTP/AJP(192.168.1.2)--> workers

             

            In this way I could have a private network between balancer and workers and a public one between clients and balancer. Is that possible/viable? How can I have apache listenning on one interface and communicating with workers through another one?

             

            Another question. I have read the mod_cluster docs in the SSL section: http://docs.jboss.org/mod_cluster/1.2.0/html_single/#UsingSSL

             

            It says:


            {quote}

            There are 2 connections between the cluster and the front-end. Both could be encrypted. That chapter describes how to encrypt both connections.

            {quote}

            It describes the first as "SSL between JBossWeb and httpd", and the second as "SSL between httpd and JBossWeb". What are these connections? Is the first one for clients requests and the second one for MCMP messages and advertising?

             

            Thank you!

            • 3. Re: SSL and mod_cluster - Security and topology questions
              Raphael Ferreira Newbie

              Hello,

               

              I got it working with the folowing configuration:

               

              Listen 192.168.1.1:6666

              CreateBalancers 1

               

              <VirtualHost 192.168.1.1:6666>

                ServerName 192.168.1.1

                EnableMCPMReceive

                <Directory />

                  Order deny,allow

                  Deny from all

                  Allow from 192.168.1.

                </Directory>

               

                <Location /mod_cluster-manager>

                 SetHandler mod_cluster-manager

                 Order deny,allow

                 Deny from all

                 Allow from 192.168.1.

                </Location>

               

                KeepAliveTimeout 60

                MaxKeepAliveRequests 0

               

                ServerAdvertise On http://192.168.1.1:6666

                AllowDisplay On

                ManagerBalancerName group1

              </VirtualHost>

               

              <VirtualHost 10.100.130.35:443>

                      ServerName 10.100.130.35

                      ProxyPass / balancer://group1 stickysession=JSESSIONID|jsessionid nofailover=On

                      ProxyPassReverse / balancer://group1

                      SSLEngine on

                      SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

                      SSLCertificateFile /etc/apache2/ssl/server.crt

                      SSLCertificateKeyFile /etc/apache2/ssl/server.key

              </VirtualHost>

              In that way, although the connection between balancer and JBoss instances is not secured, it is using a different network than the clients and balancer. What do you think about this scenario?

              • 5. Re: SSL and mod_cluster - Security and topology questions
                Raphael Ferreira Newbie

                Thanks Jean,

                 

                 

                It wasn't clear to me how mod-cluster chooses the interface that will answer for http requests going to jboss instances. Now I understand that CreateBalancers, ProxyPass and ProxyPassReverse control that. I Just don't understand what exactly "CreateBalancers 2" does. The mod-cluster doc says: "Create only the main server". What does it mean with "main server" ?

                • 6. Re: SSL and mod_cluster - Security and topology questions
                  Jean-Frederic Clere Master

                  main server is the server processing requests that don't belong to any VirtualHost it is always there the VirtualHost are child of him.

                  1 of 1 people found this helpful