[keycloak-user] Modcluster integration with keycloak

Olivier Rivat orivat at janua.fr
Tue Feb 13 06:34:39 EST 2018 

!Found


It required to enable all the modules.
They are not enabled by default on ubuntu!!!!


sudo a2enmod proxy proxy_http proxy_ajp

Module proxy already enabled
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
Considering dependency proxy for proxy_ajp:
Module proxy already enabled
Enabling module proxy_ajp.
To activate the new configuration, you need to run:
   service apache2 restart

Regards,

Olivier





Le 13/02/2018 à 12:20, Olivier Rivat a écrit :
>
>
>
>
> Configuring Keycloak With Modcluster in standalone h amode with wildfly
>
>
>
> 1) I am atrying to setup a cluster ins standalone mode with keycloak.
>
> I have
> -keycloak 3.4.3
> -wildfly 11
> -modcluster 1.3
>
>
> 1) mod_cluster
> ==============
> I have configured on a unnutu distribution mod_cluster as follwos:
>
> MemManagerFile cache/mod_cluster
>
> <IfModule manager_module>
> Listen 8180 http
> <VirtualHost vps383894.ovh.net:8180>
>     <Directory />
>     # add ip of JBoss nodes to join this proxy here
>     Require ip 127.0.0.1
>     #Require all granted
>     Allow from all
>
>     </Directory>
>     ServerAdvertise on
>     EnableMCPMReceive
>     <Location /mod_cluster_manager>
>     SetHandler mod_cluster-manager
>     # add ip of clients allowed to access mod_cluster-manager
>     Require ip 127.0.0.1
>     #Require all granted
>     Allow from all
> </Location>
> </VirtualHost>
> </IfModule>
>
>
> I can access it at URL 
> http://vps383894.ovh.net:8180/mod_cluster_manager to check that 
> mod_cluster is operational
>
> 2) Keycloak server
> ==================
> On my server I have instaled keycloak
>
> http://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster
>
>
> route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
> ifconfig lo multicast
>
>
>
> The difference I have introduced
>
>
> I have started it as ./standalone.sh -c standalone-ha.xml 
> -Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1
>
> I have updated the xml as follows:
>
>  <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <ajp-listener name="ajp" socket-binding="ajp"/>
>                 <http-listener name="default" socket-binding="http" 
> redirect-socket="https" enable-http2="true"/>
>                 <https-listener name="https" socket-binding="https" 
> security-realm="ApplicationRealm" enable-http2="true"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <http-invoker security-realm="ApplicationRealm"/>
>                     <filter-ref name="proxy-peer"/>
>                 </host>
>             </server>
>             <servlet-container name="default">
>                 <jsp-config/>
>                 <websockets/>
>                 <session-cookie name="AUTH_SESSION_ID" http-only="true" />
>             </servlet-container>
>             <handlers>
>                 <file name="welcome-content" 
> path="${jboss.home.dir}/welcome-content"/>
>             </handlers>
>             <filters>
>               <filter name="proxy-peer"
> class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
>                  module="io.undertow.core" />
>             </filters>
>         </subsystem>
>
>
> changes:
>
> 2.1)
>
> X-Forwarded-For AJP Config
>
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>      <buffer-cache name="default"/>
>      <server name="default-server">
>          <ajp-listener name="ajp" socket-binding="ajp"/>
>          <http-listener name="default" socket-binding="http" 
> redirect-socket="https"/>
>          <host name="default-host" alias="localhost">
>              ...
>              <filter-ref name="proxy-peer"/>
>          </host>
>      </server>
>         ...
>      <filters>
>          ...
>          <filter name="proxy-peer"
> class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
>                  module="io.undertow.core" />
>      </filters>
>  </subsystem>
>
>
> 2.2)
>
> servlet-container name="default">
>     <session-cookie name="AUTH_SESSION_ID" http-only="true" />
>     ...
> </servlet-container>
>
>
>
>
>
>
> 3) Traces
> =========
>
> Now I try to access to http://vps383894.ovh.net:8180/auth to access to 
> teh keycloak authent URL
>
> I obtain the following errors in apache module in error log trace
>
>
> Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid 
> 140195770410880] AH00094: Command line: '/usr/sbin/apache2'
> [Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid 
> 140195770410880] AH00491: caught SIGTERM, shutting down
> [Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid 
> 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate 
> is a CA certificate (BasicConstraints: CA == TRUE !?)
> [Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid 
> 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate 
> is a CA certificate (BasicConstraints: CA == TRUE !?)
> [Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid 
> 139634017527680] Advertise initialized for process 23736
> [Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid 
> 139634017527680] AH00489: Apache/2.4.18 (Ubuntu) 
> mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal 
> operations
> [Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid 
> 139634017527680] AH00094: Command line: '/usr/sbin/apache2'
> [Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid 
> 139634017527680] AH00491: caught SIGTERM, shutting down
> [Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid 
> 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate 
> is a CA certificate (BasicConstraints: CA == TRUE !?)
> [Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid 
> 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate 
> is a CA certificate (BasicConstraints: CA == TRUE !?)
> [Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid 
> 140179862239104] Advertise initialized for process 25891
> [Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid 
> 140179862239104] AH00489: Apache/2.4.18 (Ubuntu) 
> mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal 
> operations
> [Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid 
> 140179862239104] AH00094: Command line: '/usr/sbin/apache2'
> [Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid 
> 140179444545280] [client 82.236.158.30:49992] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid 
> 140179452937984] [client 82.236.158.30:49996] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid 
> 140179461330688] [client 82.236.158.30:49998] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid 
> 140179427759872] [client 82.236.158.30:50000] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid 
> 140179452937984] [client 82.236.158.30:50002] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid 
> 140179419367168] [client 82.236.158.30:50004] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
> [Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid 
> 140179385796352] [client 82.236.158.30:50014] AH01144: No protocol 
> handler was valid for the URL /auth. If you are using a DSO version of 
> mod_proxy, make sure the proxy submodules are included in the 
> configuration using LoadModule.
>
>
> WHat's going wrong ?
> How is it possible to fix this ?
>
> Regards,
> Olivier
>
>
>
>
> -- 
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>

-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>

More information about the keycloak-user mailing list