[undertow-dev] Some help on Reverse Proxy Server
Devl Devel
devl.development at gmail.com
Fri Sep 18 07:26:51 EDT 2015
Thanks for the tip,
I tried adding the headers on the proxy and sslheaderhandler on the server
but now I get:
UT005028: Proxy request to /
java.io.IOException: UT001000: Connection closed
at
io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:415)
at
io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:372)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at
io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1045)
at
io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:225)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)
On the proxy when I make the request to the proxy form a browser. I take it
this means there's a problem on the back end? But when I get to the back
end directly it works fine. Any more tips would be appreciated.
Thanks
On Wed, Sep 16, 2015 at 1:45 AM, Stuart Douglas <sdouglas at redhat.com> wrote:
> If you want to use client-cert mode with a proxy you need to actually send
> the cert as a header (otherwise you would need a 1:1 mapping between front
> and back end connections).
>
> Basically on the backend server you need to have a
> io.undertow.server.handlers.SSLHeaderHandler installed, this will look for
> the headers and set up the appropriate SSL structures (don't install this
> handler on an internet facing server).
>
> In your proxy server you then need to add the following code:
>
>
> proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT,
> "%{SSL_CLIENT_CERT}");
> proxyHandler.addRequestHeader(Headers.SSL_CIPHER, "%{SSL_CIPHER}");
> proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID,
> "%{SSL_SESSION_ID}");
>
> (I really should add a simpler way of doing this).
>
> Now the certificate information will be sent on every request as a header,
> and the backend server can deal with it as normal. This also means you
> don't have to use HTTPS for the connection to the backend server.
>
> Stuart
>
>
> ----- Original Message -----
> > From: "Devl Devel" <devl.development at gmail.com>
> > To: "Stuart Douglas" <sdouglas at redhat.com>
> > Cc: undertow-dev at lists.jboss.org
> > Sent: Wednesday, 16 September, 2015 12:59:55 AM
> > Subject: Re: [undertow-dev] Some help on Reverse Proxy Server
> >
> > Hi Stuart
> >
> > Thanks for this. I tried the example with a proxy server that has a valid
> > ssl context, byte buffer slice pool, undertow xnio ssl with worker, and
> > load balancing proxy client as per your example. Using 1.2.12.Final
> >
> > On the receiving webserver (which works fine with other https: and other
> > SSL requests) I have enabled SSLCLientMode.Required and other settings
> > similar to DefaultServer. This works when I go direct to the webserver
> in
> > the browser - I can use it normally but when I use the proxy and issue a
> > https request I get:
> >
> > ERROR proxy - UT005028: Proxy request to / failed
> >
> > java.io.IOException: overflow
> >
> > at
> > io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)
> >
> > at
> > io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)
> >
> > at
> >
> io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)
> >
> > at
> >
> io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)
> >
> > at
> >
> io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
> >
> > at
> >
> org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
> >
> > at
> >
> io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)
> >
> > at
> >
> io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)
> >
> > at
> > io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)
> >
> > at
> >
> io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)
> >
> > at
> >
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)
> >
> > at
> >
> io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)
> >
> > at
> >
> io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)
> >
> > at
> >
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)
> >
> > at
> >
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)
> >
> > at
> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> >
> > at
> >
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)
> >
> > at
> >
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)
> >
> > at
> > org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> >
> > at
> >
> org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)
> >
> > at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
> >
> >
> >
> > Will the proxy forward the browser cert to the webserver or is there some
> > other cause? I cannot share any code but any pointers are appreciated.
> >
> >
> >
> > Thanks
> >
> > Devl
> >
> >
> >
> > On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas <sdouglas at redhat.com>
> wrote:
> >
> > > And example of this can be found in this test:
> > >
> > >
> > >
> https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java
> > >
> > > Stuart
> > >
> > > ----- Original Message -----
> > > > From: "Devl Devel" <devl.development at gmail.com>
> > > > To: undertow-dev at lists.jboss.org
> > > > Sent: Saturday, 12 September, 2015 12:00:48 AM
> > > > Subject: [undertow-dev] Some help on Reverse Proxy Server
> > > >
> > > > At present the git example for Reverse Proxy is a non https/ssl
> example.
> > > >
> > > >
> > > >
> > >
> https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java
> > > >
> > > > Please can you help with an example using SSL and https?
> > > >
> > > > I take it the .addHost( new URI ( " http://localhost:8081 " ) method
> > > >
> > > > needs and XNioSSL object to work with https redirection? If so,
> please
> > > can
> > > > you provide an example of how to configure this?
> > > >
> > > > Thanks
> > > > Devl
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > undertow-dev mailing list
> > > > undertow-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/undertow-dev
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20150918/62c50c7b/attachment.html
More information about the undertow-dev
mailing list