jboss - アプリケーションサーバーが登録されているときにmod_clusterhttpsリダイレクトが機能しない

Question

ロードバランサーとしてmod_cluster1.2を使用し、ノードとしてJBossAS7を使用しています。JBossでAJPコネクタを設定し、mod_clusterがJBossノードに接続されています。

次のことを実現したい、クライアント<-HTTPS->バランサー<-AJP-> JBoss

これが私のmod_cluster構成です。

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule manager_module modules/mod_manager.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule advertise_module modules/mod_advertise.so

LogLevel debug

ServerName localhost

<IfModule manager_module>
  Listen 127.0.0.1:6666
  ManagerBalancerName mycluster
  <VirtualHost 127.0.0.1:6666>

    <Location />
     Order deny,allow
     Allow from all
    </Location>

     <Location /mcm>
       SetHandler mod_cluster-manager
       Order deny,allow
       Deny from all
       Allow from 127.0.0
    </Location>

    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive

  </VirtualHost>
</IfModule>

Listen 80
<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{SERVER_PORT} 80
 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}  [R,L]
</VirtualHost>

  Listen 443
  <VirtualHost *:443>
    <Location />
     Order deny,allow
     Allow from all
    </Location>

    SSLEngine  On
    SSLCACertificateFile  C:/work/certs/gs/root.pem
    SSLCertificateChainFile  C:/work/certs/gs/inter.pem
    SSLCertificateFile  C:/work/certs/gs/kc.pem
    SSLCertificateKeyFile  C:/work/certs/gs/key.key

  </VirtualHost>

JBossがmod_clusterに登録されていない場合、にhttp://localhostリダイレクトされhttps://localhostます。ただし、JBossノードが登録されている場合、HTTPSリダイレクションは機能しません。HTTPモードでのみページを開いています。これを解決するのを手伝ってください。

編集：

karmの提案に従って、Worker<-HTTPS->Balancer構成を構成しました。しかし、それでも同じ効果。Jbossがm_cに登録されている場合、リダイレクトは機能しません。

これが私のm_c設定です。

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule manager_module modules/mod_manager.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule advertise_module modules/mod_advertise.so


ErrorLog "logs/error_log"
LogLevel debug


ServerName localhost


Listen 8800
<VirtualHost 127.0.0.1:8800>
 RewriteEngine on
 RewriteCond  %{SERVER_PORT} !^8888$
 RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI}
</VirtualHost>


<IfModule manager_module>
  Listen 8888
  ManagerBalancerName qacluster
  <VirtualHost 127.0.0.1:8888>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>


    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive


    #ServerAdvertise on
    #AdvertiseGroup 224.0.1.105:6666


    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>


    SSLEngine  On
    SSLCACertificateFile  C:/work/certs/gs/gs_root.pem
    SSLCertificateChainFile  C:/work/certs/gs/gs_inter.pem
    SSLCertificateFile  C:/work/certs/gs/kc.pem
    SSLCertificateKeyFile  C:/work/certs/gs/kc.key


  </VirtualHost>
</IfModule>

JBoss構成、

<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
        <mod-cluster-config proxy-list="127.0.0.1:8888" advertise="false" excluded-contexts="admin-console,invoker,jbossws,jmx-console,juddi,web-console">
            <ssl key-alias="1" password="changeit" certificate-key-file="C:\Users\jai\.keystore" ca-certificate-file="C:\work\certs\gs\ca.jks"/>
        </mod-cluster-config>
    </subsystem>

JBossがm_cに登録された後、リンクhttp://localhost:8800/mcm自体が機能しなくなります。

これがm_cからのデバッグログです。

[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:13 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:13 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:13 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:13 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:14 2012] [notice] Advertise initialized for process 6148
[Tue Nov 20 11:43:14 2012] [notice] Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0g mod_cluster/1.2.0.Final configured -- resuming normal operations
[Tue Nov 20 11:43:14 2012] [notice] Server built: Feb  9 2012 22:24:33
[Tue Nov 20 11:43:14 2012] [notice] Parent: Created child process 5660
[Tue Nov 20 11:43:14 2012] [debug] mpm_winnt.c(477): Parent: Sent the scoreboard to the child
[Tue Nov 20 11:43:14 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:15 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:15 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:15 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [debug] mod_advertise.c(577): [5660 - 6148] in child post config hook
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Child process is running
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(398): Child 5660: Retrieved our scoreboard from the parent.
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 128 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 124 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(595): Parent: Sent 2 listeners to child 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(554): Child 5660: retrieved 2 listeners from parent
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 5660 for worker proxy:reverse
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 5660 for (*) min=0 max=64 smax=64
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Acquired the start mutex.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting 64 worker threads.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8888.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8800.
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done

score 0 · Accepted Answer

おい、これはすべて非常に奇妙な構成です... SSLProxyVerifyが必要ですか？Mod_clusterは実際にはMITM攻撃です:-)さらに、Mod_cluster自体に対してSSLをオンにする必要があります。見てください：

1）ワーカーノードはバランサーに登録できます。

2）接続は保護されています：クライアント<-SSL->バランサー<-SSL->ワーカー、ただし、ワーカーはバランサーを信頼する必要があります...

3）例へのアクセス

http://localhost:8800/mcm

保護されたにリダイレクトされます

https://localhost:8888/mcm

私はそれがあなたが望むものだと思いますか？

HTTPD

# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so

MemManagerFile /home/karm/httpd/logs

Listen 8800
<VirtualHost localhost:8800>
 RewriteEngine on
 RewriteCond  %{SERVER_PORT} !^8888$
 RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI}
</VirtualHost>

<IfModule manager_module>
  Listen 8888
  ManagerBalancerName qacluster
  <VirtualHost localhost:8888>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>

    ServerAdvertise on
    EnableMCPMReceive
    AdvertiseGroup 224.0.1.105:6666

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>

   SSLEngine on
   SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
   SSLVerifyDepth 10
   SSLProxyEngine On
   SSLCertificateKeyFile /home/karm/Server/server.key
   SSLCertificateFile /home/karm/Server/server.crt
   SSLCACertificateFile /home/karm/Server/myca.crt
   LogLevel debug

  </VirtualHost>
</IfModule>

AS7：

+++
<subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="https" key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false" certificate-file="/home/karm/Client/client-cert-key.jks" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
    </connector>
    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
    </virtual-server>
</subsystem>
+++
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
    <mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="https">
        <dynamic-load-provider history="10" decay="2">
            <load-metric type="busyness"/>
        </dynamic-load-provider>
        <ssl key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
    </mod-cluster-config>
</subsystem>
+++

HTH

乾杯

編集： このバグに注意してください：https ： //issues.jboss.org/browse/JBPAPP-9493httpsコネクタのみがある場合に発生する可能性があります。非アクティブの場合、クライアントは一定期間後にいくつかの502エラーを受け取ります。もっともらしい回避策は、を変更することです：Client<--SSL-->Balancer<--SSL-->Workers に Client<--SSL-->Balancer--AJP-->Worker、Worker--SSL-->Balancer。

AS7にAJPコネクタを追加するのと同じくらい簡単です。例： <connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp"/>

modclusterサブシステム用に設定します。

<mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="ajp">

score 0 · Accepted Answer

問題はmod_cluster1.2.0にあります。最新のmod_clusterコードを取得し、コンパイルして使用しました。HTTPSリダイレクトは魅力のように機能しました。

jboss - アプリケーションサーバーが登録されているときにmod_clusterhttpsリダイレクトが機能しない

2 に答える 2

Related

Reference