Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-327

mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to workers

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Rejected
    • httpd 2.4.23 GA
    • None
    • mod_cluster-native
    • None

    Description

      Despite having H2 enabled in Undertow https connector, Apache HTTP Server with mod_proxy-cluster terminates H2, i.e.

      • client <--> httpd communication is H2
      • direct client <--> worker is H2
      • but when client is served by worker via httpd, HTTP 1.1 is used between httpd and workers: client <-H2> httpd <HTTP 1.1-> worker
      • from the client's point of view, H2 is used, but in fact, it is used just between client and balacer, not all the way to the worker

      From Wildfly Undertow access log:

      Accessed through httpd balacner:

      192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
      192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
      192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
      192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
      

      Balancer is checking worker's availablity:

      192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
      192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
      192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
      192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
      
      Accessed directly via browser, httpd balancer is skipped:
      192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
      192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
      

      Configuration

      conf.modules.d/00-proxy.conf

      LoadModule proxy_module modules/mod_proxy.so
      LoadModule proxy_connect_module modules/mod_proxy_connect.so
      LoadModule proxy_express_module modules/mod_proxy_express.so
      LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
      LoadModule proxy_http_module modules/mod_proxy_http.so
      LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
      LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
      LoadModule proxy_http2_module modules/mod_proxy_http2.so
      

      conf.d/mod_cluster.conf

      LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
      LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
      LoadModule manager_module modules/mod_manager.so
      LoadModule advertise_module modules/mod_advertise.so
      LoadModule http2_module modules/mod_http2.so
      
      MemManagerFile /tmp/mod_cluster-eapx/jbcs-httpd24-2.4/httpd/cache/mod_cluster
      
      ServerName rhel7GAx86-64:2080
          SSLEngine on
          SSLProtocol All -SSLv2 -SSLv3
          SSLCipherSuite "HIGH MEDIUM !LOW"
          SSLProxyCipherSuite "HIGH MEDIUM !LOW"
          SSLProxyCheckPeerCN Off
          SSLProxyCheckPeerName Off
          SSLHonorCipherOrder On
          SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
          SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
          SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
          SSLVerifyClient optional
          SSLProxyVerify optional
          SSLProxyEngine On
          SSLVerifyDepth 10
          SSLProxyVerifyDepth 10
          SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
          SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
          SSLProxyProtocol All -SSLv2 -SSLv3
      
      EnableOptions  
      LogLevel debug
      <IfModule manager_module>
      Listen 192.168.122.172:8747
       <VirtualHost 192.168.122.172:8747>
          <Directory />
      Require all granted
          </Directory>
          ServerAdvertise on
          EnableMCPMReceive
      <Location /mcm>
            SetHandler mod_cluster-manager
      Require all granted
         </Location>
      AdvertiseGroup 224.0.5.172:62844
      AdvertiseBindAddress 192.168.122.172:62844
          SSLEngine on
          SSLProtocol All -SSLv2 -SSLv3
          SSLCipherSuite "HIGH MEDIUM !LOW"
          SSLProxyCipherSuite "HIGH MEDIUM !LOW"
          SSLProxyCheckPeerCN Off
          SSLProxyCheckPeerName Off
          SSLHonorCipherOrder On
          SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
          SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
          SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
          SSLVerifyClient optional
          SSLProxyVerify optional
          SSLProxyEngine On
          SSLVerifyDepth 10
          SSLProxyVerifyDepth 10
          SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
          SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
          SSLProxyProtocol All -SSLv2 -SSLv3
      
      Protocols h2
      ProtocolsHonorOrder on
      KeepAliveTimeout 60
      MaxKeepAliveRequests 0
      ServerAdvertise on
      AdvertiseFrequency 5
      ManagerBalancerName qacluster
      
      </VirtualHost>
      </IfModule> 
      

      Mod_cluster subsystem

      MCMP uses HTTP 1/1 (https), becasue at the moment, one cannot make it to use wildfly-openssl provider: JBEAP-9688

      Attachments

        Issue Links

          Activity

            People

              rhn-engineering-jclere Jean-Frederic Clere
              mbabacek1@redhat.com Michal Karm
              Michal Karm Michal Karm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: