Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4730

Undertow mod_cluster proxy does not offer any Client HTTPS configuration

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 10.0.0.Alpha3
    • 9.0.0.CR1, 10.0.0.Alpha2
    • Web (Undertow)
    • None
    • Hide

      Try to configure bidirectional HTTPS communication between Undertow mod_cluster proxy and its workers.

      Show
      Try to configure bidirectional HTTPS communication between Undertow mod_cluster proxy and its workers.

    Description

      Undertow mod_cluster proxy acts both as a server and as a client in relation to its workers.

      While the server configuration is quite straightforward:

      +++
<system-properties>
    <property name="javax.net.ssl.trustStore" value="/vault/ca-cert.jks"/>
    <property name="javax.net.ssl.trustStorePassword" value="tomcat"/>
</system-properties>
+++
<security-realm name="UndertowRealm">
    <server-identities>
        <ssl>
            <keystore path="/vault/server-cert-key.jks"  keystore-password="tomcat" alias="javaserver" key-password="tomcat"/>
        </ssl>
    </server-identities>
</security-realm>
+++
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
+++

      with having management-socket-binding="https" and advertise-protocol="https" set; it seems there is no way to configure certs and keys for the client role of the Undertow mod_cluster proxy implementation.

      With the current implementation, worker can connect to the Undertow mod_cluster proxy, i.e. it can send CONFIG and STATUS MCMP messages, but when the Undertow mod_cluster proxy needs to act as a client, sending STATUS-RSP message to the worker, it does not have the necessary HTTPS setup:

      DEBUG [io.undertow] (default I/O-5) UT005055: HttpClientPingTask run for connection: https://192.168.0.122:8544/?#
DEBUG [io.undertow.server.handlers.proxy.ProxyHandler] (default I/O-5) No proxy target for request to https://192.168.0.122:8443/
DEBUG [io.undertow] (default task-7) UT005056: Received node load in STATUS message, node jvmRoute: worker-1, load: 80
DEBUG [io.undertow.request] (default I/O-5) Failed to connect: java.io.IOException: UT000065: SSL must be specified to connect to a https URL
    at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:93)
    at io.undertow.client.UndertowClient.connect(UndertowClient.java:158)
    at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:233)
    at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:446)
    at io.undertow.server.handlers.proxy.mod_cluster.NodePingUtil$1.run(NodePingUtil.java:140)
    at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)

      The HTTPS communication between Undertow mod_cluster proxy and its workers needs to be bidirectional.

      If I'm just missing any obvious configuration option, please, shout, throw rocks and close this JIRA

      Thank you for your time looking into it.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-217 Undertow mod_cluster proxy does not offer any Client HTTPS configuration

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              mbabacek1@redhat.com Michal Karm
              Michal Karm Michal Karm
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: