jboss - 注册应用程序服务器时，mod_cluster https 重定向不起作用

Question

我使用 mod_cluster 1.2 作为负载平衡器，使用 JBoss AS7 作为节点。我在 JBoss 中配置了 AJP 连接器，并且 mod_cluster 与 JBoss 节点连接。

我想实现以下，Client <--HTTPS--> Balancer <--AJP--> JBoss

这是我的 mod_cluster 配置，

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule manager_module modules/mod_manager.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule advertise_module modules/mod_advertise.so

LogLevel debug

ServerName localhost

<IfModule manager_module>
  Listen 127.0.0.1:6666
  ManagerBalancerName mycluster
  <VirtualHost 127.0.0.1:6666>

    <Location />
     Order deny,allow
     Allow from all
    </Location>

     <Location /mcm>
       SetHandler mod_cluster-manager
       Order deny,allow
       Deny from all
       Allow from 127.0.0
    </Location>

    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive

  </VirtualHost>
</IfModule>

Listen 80
<VirtualHost *:80>
 RewriteEngine on
 RewriteCond %{SERVER_PORT} 80
 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI}  [R,L]
</VirtualHost>

  Listen 443
  <VirtualHost *:443>
    <Location />
     Order deny,allow
     Allow from all
    </Location>

    SSLEngine  On
    SSLCACertificateFile  C:/work/certs/gs/root.pem
    SSLCertificateChainFile  C:/work/certs/gs/inter.pem
    SSLCertificateFile  C:/work/certs/gs/kc.pem
    SSLCertificateKeyFile  C:/work/certs/gs/key.key

  </VirtualHost>

当 JBoss 未向 mod_cluster 注册时，我尝试http://localhost将其重定向到https://localhost. 但是当注册 JBoss 节点时，HTTPS 重定向不起作用。它仅以 HTTP 模式打开页面。请帮我解决这个问题。

编辑：

根据 karm 的建议，我已经配置了 Worker<--HTTPS-->Balancer 配置。但还是一样的效果。当 Jboss 用 m_c 注册时，重定向不起作用。

这是我的 m_c 配置，

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so


LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule manager_module modules/mod_manager.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule advertise_module modules/mod_advertise.so


ErrorLog "logs/error_log"
LogLevel debug


ServerName localhost


Listen 8800
<VirtualHost 127.0.0.1:8800>
 RewriteEngine on
 RewriteCond  %{SERVER_PORT} !^8888$
 RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI}
</VirtualHost>


<IfModule manager_module>
  Listen 8888
  ManagerBalancerName qacluster
  <VirtualHost 127.0.0.1:8888>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>


    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    AdvertiseFrequency 5
    EnableMCPMReceive


    #ServerAdvertise on
    #AdvertiseGroup 224.0.1.105:6666


    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>


    SSLEngine  On
    SSLCACertificateFile  C:/work/certs/gs/gs_root.pem
    SSLCertificateChainFile  C:/work/certs/gs/gs_inter.pem
    SSLCertificateFile  C:/work/certs/gs/kc.pem
    SSLCertificateKeyFile  C:/work/certs/gs/kc.key


  </VirtualHost>
</IfModule>

JBoss 配置，

<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
        <mod-cluster-config proxy-list="127.0.0.1:8888" advertise="false" excluded-contexts="admin-console,invoker,jbossws,jmx-console,juddi,web-console">
            <ssl key-alias="1" password="changeit" certificate-key-file="C:\Users\jai\.keystore" ca-certificate-file="C:\work\certs\gs\ca.jks"/>
        </mod-cluster-config>
    </subsystem>

在使用 m_c 注册 JBoss 后，链接http://localhost:8800/mcm本身不起作用。

这是来自 m_c 的调试日志，

[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:13 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:13 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:13 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:13 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:13 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:14 2012] [notice] Advertise initialized for process 6148
[Tue Nov 20 11:43:14 2012] [notice] Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0g mod_cluster/1.2.0.Final configured -- resuming normal operations
[Tue Nov 20 11:43:14 2012] [notice] Server built: Feb  9 2012 22:24:33
[Tue Nov 20 11:43:14 2012] [notice] Parent: Created child process 5660
[Tue Nov 20 11:43:14 2012] [debug] mpm_winnt.c(477): Parent: Sent the scoreboard to the child
[Tue Nov 20 11:43:14 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:14 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [info] Init: Seeding PRNG with 0 bytes of entropy
[Tue Nov 20 11:43:15 2012] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Nov 20 11:43:15 2012] [info] Init: Initializing (virtual) servers for SSL
[Tue Nov 20 11:43:15 2012] [info] Configuring server for SSL protocol
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(601): Configuring client authentication
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate)
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key
[Tue Nov 20 11:43:15 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r
[Tue Nov 20 11:43:15 2012] [debug] mod_advertise.c(577): [5660 - 6148] in child post config hook
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Child process is running
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(398): Child 5660: Retrieved our scoreboard from the parent.
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 128 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 124 and sending it to child process 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(595): Parent: Sent 2 listeners to child 5660
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(554): Child 5660: retrieved 2 listeners from parent
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 5660 for worker proxy:reverse
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 5660 for (*) min=0 max=64 smax=64
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Acquired the start mutex.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting 64 worker threads.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8888.
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8800.
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done

score 0 · Accepted Answer

问题出在 mod_cluster 1.2.0 上。我采用了最新的 mod_cluster 代码并编译和使用。HTTPS 重定向就像魅力一样。

score 0 · Accepted Answer

伙计，这都是一个非常奇怪的配置...... SSLProxyVerify 要求？Mod_cluster 实际上是 MITM 攻击 :-) 此外，Mod_cluster 本身的 SSL 必须打开。看一看：

1）工作节点可以向平衡器注册。

2）连接是安全的：client<--SSL-->balancer<--SSL-->workers，但是，worker必须信任平衡器......

3）访问例如

http://localhost:8800/mcm

被重定向到受保护的

https://localhost:8888/mcm

我想这就是你想要的？

HTTPD

# mod_proxy_balancer should be disabled when mod_cluster is used
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so

MemManagerFile /home/karm/httpd/logs

Listen 8800
<VirtualHost localhost:8800>
 RewriteEngine on
 RewriteCond  %{SERVER_PORT} !^8888$
 RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI}
</VirtualHost>

<IfModule manager_module>
  Listen 8888
  ManagerBalancerName qacluster
  <VirtualHost localhost:8888>
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>

    ServerAdvertise on
    EnableMCPMReceive
    AdvertiseGroup 224.0.1.105:6666

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>

   SSLEngine on
   SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
   SSLVerifyDepth 10
   SSLProxyEngine On
   SSLCertificateKeyFile /home/karm/Server/server.key
   SSLCertificateFile /home/karm/Server/server.crt
   SSLCACertificateFile /home/karm/Server/myca.crt
   LogLevel debug

  </VirtualHost>
</IfModule>

AS7：

+++
<subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false">
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="https" key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false" certificate-file="/home/karm/Client/client-cert-key.jks" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
    </connector>
    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
    </virtual-server>
</subsystem>
+++
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
    <mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="https">
        <dynamic-load-provider history="10" decay="2">
            <load-metric type="busyness"/>
        </dynamic-load-provider>
        <ssl key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
    </mod-cluster-config>
</subsystem>
+++

高温高压

干杯

编辑： 请注意此错误：https ://issues.jboss.org/browse/JBPAPP-9493 ，如果您只有 https 连接器，可能会发生。如果一段时间不活动，客户端会在一段时间后收到几个 502 错误。可行的解决方法是将：更改Client<--SSL-->Balancer<--SSL-->Workers 为 Client<--SSL-->Balancer--AJP-->Worker, Worker--SSL-->Balancer。

就像在 AS7 中添加 AJP 连接器一样简单，例如： <connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp"/>

并为 modcluster 子系统设置：

<mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="ajp">

jboss - 注册应用程序服务器时，mod_cluster https 重定向不起作用

2 回答 2

Related

Reference