Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 26.0.1.Final
Component/s: Web (Undertow)
Labels:
None

Steps to Reproduce:

Hide

1. Add the following "location" line to the undertow default host in standalone.xml:

<host name="default-host" alias="localhost">
<location name="/hosting/" handler="hosting-proxy"/>
<location name="/" handler="welcome-content"/>
<http-invoker http-authentication-factory="application-http-authentication"/>
</host>

2. and these "reverse-proxy" lines to undertow handlers:

<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
<reverse-proxy name="hosting-proxy">
<host name="localhost" outbound-socket-binding="apache2" scheme="https" path="/hosting/"/>
</reverse-proxy>
</handlers>

3. and this outbound-socket binding to "socket-binding-group":

<socket-binding-group name="standard-sockets" default-interface="loopback" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="ajp" interface="loopback" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" interface="loopback" port="${jboss.http.port:8080}"/>
<socket-binding name="https" interface="public" port="${jboss.https.port:443}"/>
<socket-binding name="management-http" interface="loopback" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="public" port="${jboss.management.https.port:9993}"/>
<socket-binding name="management-native" interface="loopback" port="${jboss.management.native.port:9999}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="apache2">
<remote-destination host="localhost" port="80"/>
</outbound-socket-binding>
</socket-binding-group>

4. Restart Wildfly

5. Make sure page can be loaded directly from apache2 thereby bypassing the undertow reverse proxy:

wget --no-check-certificate https://localhost:80/hosting/capabilities
{}2022-02-14 11:38:46{} https://localhost:80/hosting/capabilities
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 274 [application/json]
Saving to: ‘capabilities’

capabilities 100%[=====================================================================================>] 274 --.-KB/s in 0s

2022-02-14 11:38:46 (8.66 MB/s) - ‘capabilities’ saved [274/274]

6. Try the same URL but with port 443 (Wildfly / Undertow):

wget --no-check-certificate https://localhost:443/hosting/capabilities
{}2022-02-14 11:39:20{} https://localhost/hosting/capabilities
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:443... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
WARNING: The certificate of ‘localhost’ is not trusted.
WARNING: The certificate of ‘localhost’ doesn't have a known issuer.
HTTP request sent, awaiting response... 503 Service Unavailable
2022-02-14 11:39:20 ERROR 503: Service Unavailable.

Show
1. Add the following "location" line to the undertow default host in standalone.xml: <host name="default-host" alias="localhost"> <location name="/hosting/" handler="hosting-proxy"/> <location name="/" handler="welcome-content"/> <http-invoker http-authentication-factory="application-http-authentication"/> </host> 2. and these "reverse-proxy" lines to undertow handlers: <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> <reverse-proxy name="hosting-proxy"> <host name="localhost" outbound-socket-binding="apache2" scheme="https" path="/hosting/"/> </reverse-proxy> </handlers> 3. and this outbound-socket binding to "socket-binding-group": <socket-binding-group name="standard-sockets" default-interface="loopback" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="ajp" interface="loopback" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" interface="loopback" port="${jboss.http.port:8080}"/> <socket-binding name="https" interface="public" port="${jboss.https.port:443}"/> <socket-binding name="management-http" interface="loopback" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="public" port="${jboss.management.https.port:9993}"/> <socket-binding name="management-native" interface="loopback" port="${jboss.management.native.port:9999}"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="apache2"> <remote-destination host="localhost" port="80"/> </outbound-socket-binding> </socket-binding-group> 4. Restart Wildfly 5. Make sure page can be loaded directly from apache2 thereby bypassing the undertow reverse proxy: wget --no-check-certificate https://localhost:80/hosting/capabilities { }2022-02-14 11:38:46{ } https://localhost:80/hosting/capabilities Resolving localhost (localhost)... ::1, 127.0.0.1 Connecting to localhost (localhost)|::1|:80... connected. WARNING: The certificate of ‘localhost’ is not trusted. WARNING: The certificate of ‘localhost’ doesn't have a known issuer. HTTP request sent, awaiting response... 200 OK Length: 274 [application/json] Saving to: ‘capabilities’ capabilities 100% [=====================================================================================>] 274 --.-KB/s in 0s 2022-02-14 11:38:46 (8.66 MB/s) - ‘capabilities’ saved [274/274] 6. Try the same URL but with port 443 (Wildfly / Undertow): wget --no-check-certificate https://localhost:443/hosting/capabilities { }2022-02-14 11:39:20{ } https://localhost/hosting/capabilities Resolving localhost (localhost)... ::1, 127.0.0.1 Connecting to localhost (localhost)|::1|:443... failed: Connection refused. Connecting to localhost (localhost)|127.0.0.1|:443... connected. WARNING: The certificate of ‘localhost’ is not trusted. WARNING: The certificate of ‘localhost’ doesn't have a known issuer. HTTP request sent, awaiting response... 503 Service Unavailable 2022-02-14 11:39:20 ERROR 503: Service Unavailable.
Workaround Description:

Hide

I could not find a workaround.

Show
I could not find a workaround.

When undertow is configured to act as a reverse proxy to a web site, that is secured through TLS any request proxied through undertow returns a HTTP 503 Service unavailable response.

Turning on TRACE Log Level in

org.wildfly.extension.undertow
io.undertow
org.xnio.nio

yields the following logging entries:

2022-02-14 11:16:05,616 DEBUG [io.undertow.request] (default I/O-4) Failed to connect: java.io.IOException: UT000065: SSL must be specified to connect to a https URL
at io.undertow.core@2.2.14.Final//io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:94)
at io.undertow.core@2.2.14.Final//io.undertow.client.UndertowClient.connect(UndertowClient.java:161)
at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:274)
at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:550)
at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.proxy.LoadBalancingProxyClient.getConnection(LoadBalancingProxyClient.java:340)
at io.undertow.core@2.2.14.Final//io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.run(ProxyHandler.java:329)
at io.undertow.core@2.2.14.Final//io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)
at io.undertow.core@2.2.14.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:404)
at io.undertow.core@2.2.14.Final//io.undertow.server.protocol.http2.Http2ReceiveListener.handleRequests(Http2ReceiveListener.java:209)
at io.undertow.core@2.2.14.Final//io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:117)
at io.undertow.core@2.2.14.Final//io.undertow.server.protocol.http2.Http2ReceiveListener.handleEvent(Http2ReceiveListener.java:73)
at org.jboss.xnio@3.8.5.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at io.undertow.core@2.2.14.Final//io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:955)
at io.undertow.core@2.2.14.Final//io.undertow.server.protocol.framed.AbstractFramedChannel$FrameReadListener.handleEvent(AbstractFramedChannel.java:935)
at org.jboss.xnio@3.8.5.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.jboss.xnio@3.8.5.Final//org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at io.undertow.core@2.2.14.Final//io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1254)
at org.jboss.xnio.nio@3.8.5.Final//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.jboss.xnio.nio@3.8.5.Final//org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

standalone.xml
2022/02/14 10:44 AM
30 kB
Ronald Feicht

Details

Description

Attachments

Attachments

Activity

People

Dates