Uploaded image for project: 'mod_cluster'
  1. mod_cluster
  2. MODCLUSTER-401

EnableOptions and SSL configuration

    XMLWordPrintable

    Details

      Description

      As a follow up on MODCLUSTER-400 and a documentation effort for EnableOptions logic, I tried to add EnableOptions to the configuration so as to allow for a "cping/cpong" emulation of the famous AJP feature.
      With the following mod_cluster.conf / httpd.conf (standalone-ha.xml being the same as in MODCLUSTER-400's description):

      +++
      Listen 10.16.92.191:2081
      +++
      MemManagerFile "/hell/workspace/hpws22/apache/cache/mod_cluster"
      ServerName 10.16.92.191:2081
      <IfModule manager_module>
        Listen 10.16.92.191:8745
        LogLevel debug
        <VirtualHost 10.16.92.191:8745>
          ServerName 10.16.92.191:8745
          <Directory />
            Order deny,allow
            Deny from all
            Allow from all
          </Directory>
          KeepAliveTimeout 60
          MaxKeepAliveRequests 0
          ServerAdvertise on
          AdvertiseFrequency 5
          ManagerBalancerName qacluster
          AdvertiseGroup 224.0.3.47:23364
      
          EnableOptions
      
          EnableMCPMReceive
          SSLEngine on
          SSLProtocol all -SSLv2 -SSLv3
          SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
          SSLHonorCipherOrder on
          SSLCertificateFile /vault/server.crt
          SSLCertificateKeyFile /vault/server.key
          SSLCACertificateFile /vault/myca.crt
          SSLProxyEngine On
          SSLVerifyDepth 10
      
          <Location /mcm>
            SetHandler mod_cluster-manager
            Order deny,allow
            Deny from all
            Allow from all
          </Location>
        </VirtualHost>
      </IfModule>
      

      one gets this [^hp-ux_error_log-EnableOptions.zip] log:

      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received HTTP/1.1 200 OK
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Server: Apache-Coyote/1.1
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Content-Length: 0
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Date: Fri, 02 May 2014 17:22:46 GMT
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Connection: close
      [debug] mod_proxy_cluster.c(1239): http_cping_cpong: Done
      [debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
      [debug] mod_manager.c(2666): manager_handler STATUS  OK
      [debug] proxy_util.c(2029): proxy: https: has acquired connection for (10.16.92.191)
      [debug] proxy_util.c(2085): proxy: connecting https://10.16.92.191:8645/ to 10.16.92.191:8645
      [debug] proxy_util.c(2211): proxy: connected / to 10.16.92.191:8645
      [debug] proxy_util.c(2462): proxy: https: fam 2 socket created to connect to 10.16.92.191
      [debug] mod_proxy_cluster.c(1384): proxy_cluster_try_pingpong: connected to backend
      
      [error] [client 10.16.92.191] SSL Proxy requested for 10.16.92.191:2081 but not enabled [Hint: SSLProxyEngine]
      [error] proxy: https: failed to enable ssl support for 10.16.92.191:8645 (10.16.92.191)
      
      [debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
      

      Why is the JBoss EAP residing on 10.16.92.191:8645 trying to request SSL Proxy on the virtual host 10.16.92.191:2081? The result is Status: NOTOK on mod_cluser manager console.
      I tried to remove that 10.16.92.191:2081, so as the 10.16.92.191:8745 is the only one ([^hp-ux_error_log-EnableOptions-single-vhost.zip]):

      - Listen 10.16.92.191:2081
      - ServerName 10.16.92.191:2081
      

      The result is a funny trial to request a proxy for the boxe's actual hostname and port 80 no one (netstat) is even listening on:

      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received HTTP/1.1 200 OK
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Server: Apache-Coyote/1.1
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Content-Length: 0
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Date: Fri, 02 May 2014 17:39:33 GMT
      [debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Connection: close
      [debug] mod_proxy_cluster.c(1239): http_cping_cpong: Done
      [debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
      [debug] mod_manager.c(2666): manager_handler STATUS  OK
      [debug] proxy_util.c(2029): proxy: https: has acquired connection for (10.16.92.191)
      [debug] proxy_util.c(2085): proxy: connecting https://10.16.92.191:8645/ to 10.16.92.191:8645
      [debug] proxy_util.c(2211): proxy: connected / to 10.16.92.191:8645
      [debug] proxy_util.c(2462): proxy: https: fam 2 socket created to connect to 10.16.92.191
      [debug] mod_proxy_cluster.c(1384): proxy_cluster_try_pingpong: connected to backend
      
      [error] [client 10.16.92.191] SSL Proxy requested for eap-perf-hpux-03.mw.lab.eng.bos.redhat.com:80 but not enabled [Hint: SSLProxyEngine]
      [error] proxy: https: failed to enable ssl support for 10.16.92.191:8645 (10.16.92.191)
      
      [debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
      

      I tried to add: RequestHeader set Front-End-Https "On" to the configuration without any luck.
      Finally, I replicated the SSL configuration outside the VirtualHost:

      MemManagerFile "/hell/workspace/hpws22/apache/cache/mod_cluster"
      
      Listen 10.16.92.191:2081
      ServerName 10.16.92.191:2081
      
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !S    RP !DSS"
      SSLHonorCipherOrder on
      SSLCertificateFile /vault/server.crt
      SSLCertificateKeyFile /vault/server.key
      SSLCACertificateFile /vault/myca.crt
      SSLProxyEngine On
      SSLVerifyDepth 10
      
      <IfModule manager_module>
      
      +++ the same as above +++
      
      </IfModule>
      

      This configuration fixed the aforementioned failed to enable ssl support and actually helped to workaround the MODCLUSTER-400: (log: [^hp-ux_error_log-EnableOptions-SSL_everywhere.zip])

      Fri, May 2, 2014 02:23:44 PM Request URI: /clusterbench/requestinfo
      Headers: {host=10.16.92.191:8645, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
      Host header: 10.16.92.191:8645
      Character encoding: null
      JVM route: jboss-eap-6.3-2
      Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2
      Session isNew: false
      
      Fri, May 2, 2014 02:23:47 PM Request URI: /clusterbench/requestinfo
      Headers: {host=10.16.92.191:8645, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
      Host header: 10.16.92.191:8645
      Character encoding: null
      JVM route: jboss-eap-6.3-2
      Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2
      Session isNew: false
      
      -- stop jboss-eap-6.3-2 -- (the same behavior with jvm kill) --
      
      Fri, May 2, 2014 02:23:50 PM Request URI: /clusterbench/requestinfo
      Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
      Host header: 10.16.92.191:8544
      Character encoding: null
      JVM route: jboss-eap-6.3
      Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
      Session isNew: false
      
      Fri, May 2, 2014 02:23:53 PM Request URI: /clusterbench/requestinfo
      Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
      Host header: 10.16.92.191:8544
      Character encoding: null
      JVM route: jboss-eap-6.3
      Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
      Session isNew: false
      
      Fri, May 2, 2014 02:23:56 PM Request URI: /clusterbench/requestinfo
      Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
      Host header: 10.16.92.191:8544
      Character encoding: null
      JVM route: jboss-eap-6.3
      Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
      Session isNew: false
      

      Why isn't the 10.16.92.191:8745 enough? Is it a configuration error or a ProxyPass/SSL integration bug?

        Attachments

          Activity

            People

            Assignee:
            jfclere Jean-Frederic Clere
            Reporter:
            mbabacek Michal Karm
            Tester:
            Athanasios Ploumis Athanasios Ploumis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: