[keycloak-user] Modcluster integration with keycloak

Tue Feb 13 06:20:49 EST 2018

Configuring Keycloak With Modcluster in standalone h amode with wildfly

1) I am atrying to setup a cluster ins standalone mode with keycloak.

I have
-keycloak 3.4.3
-wildfly 11
-modcluster 1.3

1) mod_cluster
==============
I have configured on a unnutu distribution mod_cluster as follwos:

MemManagerFile cache/mod_cluster

<IfModule manager_module>
Listen 8180 http
<VirtualHost vps383894.ovh.net:8180>
     <Directory />
     # add ip of JBoss nodes to join this proxy here
     Require ip 127.0.0.1
     #Require all granted
     Allow from all

     </Directory>
     ServerAdvertise on
     EnableMCPMReceive
     <Location /mod_cluster_manager>
     SetHandler mod_cluster-manager
     # add ip of clients allowed to access mod_cluster-manager
     Require ip 127.0.0.1
     #Require all granted
     Allow from all
</Location>
</VirtualHost>
</IfModule>

I can access it at URL http://vps383894.ovh.net:8180/mod_cluster_manager 
to check that mod_cluster is operational

2) Keycloak server
==================
On my server I have instaled keycloak

http://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster

route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
ifconfig lo multicast

The difference I have introduced

I have started it as ./standalone.sh -c standalone-ha.xml 
-Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1

I have updated the xml as follows:

  <subsystem xmlns="urn:jboss:domain:undertow:4.0">
             <buffer-cache name="default"/>
             <server name="default-server">
                 <ajp-listener name="ajp" socket-binding="ajp"/>
                 <http-listener name="default" socket-binding="http" 
redirect-socket="https" enable-http2="true"/>
                 <https-listener name="https" socket-binding="https" 
security-realm="ApplicationRealm" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
                     <http-invoker security-realm="ApplicationRealm"/>
                     <filter-ref name="proxy-peer"/>
                 </host>
             </server>
             <servlet-container name="default">
                 <jsp-config/>
                 <websockets/>
                 <session-cookie name="AUTH_SESSION_ID" http-only="true" />
             </servlet-container>
             <handlers>
                 <file name="welcome-content" 
path="${jboss.home.dir}/welcome-content"/>
             </handlers>
             <filters>
               <filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
                  module="io.undertow.core" />
             </filters>
         </subsystem>

changes:

2.1)

X-Forwarded-For AJP Config

2.2)

servlet-container name="default">
     <session-cookie name="AUTH_SESSION_ID" http-only="true" />
     ...
</servlet-container>

3) Traces
=========

Now I try to access to http://vps383894.ovh.net:8180/auth to access to 
teh keycloak authent URL

I obtain the following errors in apache module in error log trace

Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid 
140195770410880] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid 
140195770410880] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid 
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is 
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid 
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is 
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid 
139634017527680] Advertise initialized for process 23736
[Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid 
139634017527680] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final 
OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid 
139634017527680] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid 
139634017527680] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid 
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is 
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid 
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is 
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid 
140179862239104] Advertise initialized for process 25891
[Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid 
140179862239104] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final 
OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid 
140179862239104] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid 
140179444545280] [client 82.236.158.30:49992] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid 
140179452937984] [client 82.236.158.30:49996] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid 
140179461330688] [client 82.236.158.30:49998] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid 
140179427759872] [client 82.236.158.30:50000] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid 
140179452937984] [client 82.236.158.30:50002] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid 
140179419367168] [client 82.236.158.30:50004] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.
[Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid 
140179385796352] [client 82.236.158.30:50014] AH01144: No protocol 
handler was valid for the URL /auth. If you are using a DSO version of 
mod_proxy, make sure the proxy submodules are included in the 
configuration using LoadModule.

WHat's going wrong ?
How is it possible to fix this ?

Regards,
Olivier

-- 

<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>

Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>