Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: 1.2.14.Final
Affects Version/s: 1.2.8.Final
Component/s: mod_proxy_cluster (native httpd modules)
Labels:
None

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1093853

Description

As a follow up on ~~MODCLUSTER-400~~ and a documentation effort for EnableOptions logic, I tried to add EnableOptions to the configuration so as to allow for a "cping/cpong" emulation of the famous AJP feature.
With the following mod_cluster.conf / httpd.conf (standalone-ha.xml being the same as in ~~MODCLUSTER-400~~'s description):

+++
Listen 10.16.92.191:2081
+++
MemManagerFile "/hell/workspace/hpws22/apache/cache/mod_cluster"
ServerName 10.16.92.191:2081
<IfModule manager_module>
  Listen 10.16.92.191:8745
  LogLevel debug
  <VirtualHost 10.16.92.191:8745>
    ServerName 10.16.92.191:8745
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>
    KeepAliveTimeout 60
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    ManagerBalancerName qacluster
    AdvertiseGroup 224.0.3.47:23364

    EnableOptions

    EnableMCPMReceive
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    SSLHonorCipherOrder on
    SSLCertificateFile /vault/server.crt
    SSLCertificateKeyFile /vault/server.key
    SSLCACertificateFile /vault/myca.crt
    SSLProxyEngine On
    SSLVerifyDepth 10

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
    </Location>
  </VirtualHost>
</IfModule>

one gets this [^hp-ux_error_log-EnableOptions.zip] log:

[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received HTTP/1.1 200 OK
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Server: Apache-Coyote/1.1
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Content-Length: 0
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Date: Fri, 02 May 2014 17:22:46 GMT
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Connection: close
[debug] mod_proxy_cluster.c(1239): http_cping_cpong: Done
[debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
[debug] mod_manager.c(2666): manager_handler STATUS  OK
[debug] proxy_util.c(2029): proxy: https: has acquired connection for (10.16.92.191)
[debug] proxy_util.c(2085): proxy: connecting https://10.16.92.191:8645/ to 10.16.92.191:8645
[debug] proxy_util.c(2211): proxy: connected / to 10.16.92.191:8645
[debug] proxy_util.c(2462): proxy: https: fam 2 socket created to connect to 10.16.92.191
[debug] mod_proxy_cluster.c(1384): proxy_cluster_try_pingpong: connected to backend

[error] [client 10.16.92.191] SSL Proxy requested for 10.16.92.191:2081 but not enabled [Hint: SSLProxyEngine]
[error] proxy: https: failed to enable ssl support for 10.16.92.191:8645 (10.16.92.191)

[debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)

Why is the JBoss EAP residing on 10.16.92.191:8645 trying to request SSL Proxy on the virtual host 10.16.92.191:2081? The result is Status: NOTOK on mod_cluser manager console.
I tried to remove that 10.16.92.191:2081, so as the 10.16.92.191:8745 is the only one ([^hp-ux_error_log-EnableOptions-single-vhost.zip]):

- Listen 10.16.92.191:2081
- ServerName 10.16.92.191:2081

The result is a funny trial to request a proxy for the boxe's actual hostname and port 80 no one (netstat) is even listening on:

[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received HTTP/1.1 200 OK
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Server: Apache-Coyote/1.1
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Content-Length: 0
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Date: Fri, 02 May 2014 17:39:33 GMT
[debug] mod_proxy_cluster.c(1223): http_cping_cpong: received Connection: close
[debug] mod_proxy_cluster.c(1239): http_cping_cpong: Done
[debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)
[debug] mod_manager.c(2666): manager_handler STATUS  OK
[debug] proxy_util.c(2029): proxy: https: has acquired connection for (10.16.92.191)
[debug] proxy_util.c(2085): proxy: connecting https://10.16.92.191:8645/ to 10.16.92.191:8645
[debug] proxy_util.c(2211): proxy: connected / to 10.16.92.191:8645
[debug] proxy_util.c(2462): proxy: https: fam 2 socket created to connect to 10.16.92.191
[debug] mod_proxy_cluster.c(1384): proxy_cluster_try_pingpong: connected to backend

[error] [client 10.16.92.191] SSL Proxy requested for eap-perf-hpux-03.mw.lab.eng.bos.redhat.com:80 but not enabled [Hint: SSLProxyEngine]
[error] proxy: https: failed to enable ssl support for 10.16.92.191:8645 (10.16.92.191)

[debug] proxy_util.c(2047): proxy: https: has released connection for (10.16.92.191)

I tried to add: RequestHeader set Front-End-Https "On" to the configuration without any luck.
Finally, I replicated the SSL configuration outside the VirtualHost:

MemManagerFile "/hell/workspace/hpws22/apache/cache/mod_cluster"

Listen 10.16.92.191:2081
ServerName 10.16.92.191:2081

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !S    RP !DSS"
SSLHonorCipherOrder on
SSLCertificateFile /vault/server.crt
SSLCertificateKeyFile /vault/server.key
SSLCACertificateFile /vault/myca.crt
SSLProxyEngine On
SSLVerifyDepth 10

<IfModule manager_module>

+++ the same as above +++

</IfModule>

This configuration fixed the aforementioned failed to enable ssl support and actually helped to workaround the ~~MODCLUSTER-400~~: (log: [^hp-ux_error_log-EnableOptions-SSL_everywhere.zip])

Fri, May 2, 2014 02:23:44 PM Request URI: /clusterbench/requestinfo
Headers: {host=10.16.92.191:8645, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
Host header: 10.16.92.191:8645
Character encoding: null
JVM route: jboss-eap-6.3-2
Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2
Session isNew: false

Fri, May 2, 2014 02:23:47 PM Request URI: /clusterbench/requestinfo
Headers: {host=10.16.92.191:8645, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
Host header: 10.16.92.191:8645
Character encoding: null
JVM route: jboss-eap-6.3-2
Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2
Session isNew: false

-- stop jboss-eap-6.3-2 -- (the same behavior with jvm kill) --

Fri, May 2, 2014 02:23:50 PM Request URI: /clusterbench/requestinfo
Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3-2, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
Host header: 10.16.92.191:8544
Character encoding: null
JVM route: jboss-eap-6.3
Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
Session isNew: false

Fri, May 2, 2014 02:23:53 PM Request URI: /clusterbench/requestinfo
Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
Host header: 10.16.92.191:8544
Character encoding: null
JVM route: jboss-eap-6.3
Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
Session isNew: false

Fri, May 2, 2014 02:23:56 PM Request URI: /clusterbench/requestinfo
Headers: {host=10.16.92.191:8544, user-agent=curl/7.30.0, accept=*/*, cookie=JSESSIONID=2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3, x-forwarded-for=10.16.92.191, x-forwarded-host=10.16.92.191:8745, x-forwarded-server=10.16.92.191, connection=Keep-Alive}
Host header: 10.16.92.191:8544
Character encoding: null
JVM route: jboss-eap-6.3
Session ID: 2hC9ax9LGYDvQZtH0RXdBimf.jboss-eap-6.3
Session isNew: false

Why isn't the 10.16.92.191:8745 enough? Is it a configuration error or a ProxyPass/SSL integration bug?

Attachments

Activity

People

Assignee:: Jean-Frederic Clere

Reporter:: Michal Karm

Tester:: Athanasios Ploumis (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2014/05/02 3:46 PM

Updated:: 2021/10/24 6:37 AM

Resolved:: 2020/03/30 4:08 AM