[jboss-jira] [JBoss JIRA] (WFLY-4730) Undertow mod_cluster proxy does not offer any Client HTTPS configuration

Undertow mod_cluster proxy does not offer any Client HTTPS configuration ------------------------------------------------------------------------ Key: WFLY-4730 URL: https://issues.jboss.org/browse/WFLY-4730 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 9.0.0.CR1, 10.0.0.Alpha2 Reporter: Michal Karm Babacek Assignee: Stuart Douglas Priority: Blocker Fix For: 10.0.0.Alpha3 Undertow mod_cluster proxy acts both as a *server* and as a *client* in relation to its workers. While the *server* configuration is quite straightforward: {code:xml} +++ <system-properties> <property name="javax.net.ssl.trustStore" value="/vault/ca-cert.jks"/> <property name="javax.net.ssl.trustStorePassword" value="tomcat"/> </system-properties> +++ <security-realm name="UndertowRealm"> <server-identities> <ssl> <keystore path="/vault/server-cert-key.jks" keystore-password="tomcat" alias="javaserver" key-password="tomcat"/> </ssl> </server-identities> </security-realm> +++ <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/> +++ {code} with having {{management-socket-binding="https"}} and {{advertise-protocol="https"}} set; it seems there is no way to configure certs and keys for the *client* role of the Undertow mod_cluster proxy implementation. With the current implementation, *worker* can connect to the Undertow mod_cluster proxy, i.e. it can send {{CONFIG}} and {{STATUS}} MCMP messages, but when the Undertow mod_cluster proxy needs to act as a *client*, sending {{STATUS-RSP}} message to the *worker*, it does not have the necessary HTTPS setup: {noformat} DEBUG [io.undertow] (default I/O-5) UT005055: HttpClientPingTask run for connection: https://192.168.0.122:8544/?# DEBUG [io.undertow.server.handlers.proxy.ProxyHandler] (default I/O-5) No proxy target for request to https://192.168.0.122:8443/ DEBUG [io.undertow] (default task-7) UT005056: Received node load in STATUS message, node jvmRoute: worker-1, load: 80 DEBUG [io.undertow.request] (default I/O-5) Failed to connect: java.io.IOException: UT000065: SSL must be specified to connect to a https URL at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:93) at io.undertow.client.UndertowClient.connect(UndertowClient.java:158) at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:233) at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:446) at io.undertow.server.handlers.proxy.mod_cluster.NodePingUtil$1.run(NodePingUtil.java:140) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560) at org.xnio.nio.WorkerThread.run(WorkerThread.java:462) {noformat} The HTTPS communication between Undertow mod_cluster proxy and its workers needs to be bidirectional. If I'm just missing any obvious configuration option, please, shout, throw rocks and close this JIRA :) Thank you for your time looking into it.