5:20 a.m.
Configuring Keycloak With Modcluster in standalone h amode with wildfly
1) I am atrying to setup a cluster ins standalone mode with keycloak.
I have
-keycloak 3.4.3
-wildfly 11
-modcluster 1.3
1) mod_cluster
==============
I have configured on a unnutu distribution mod_cluster as follwos:
MemManagerFile cache/mod_cluster
<IfModule manager_module>
Listen 8180 http
<VirtualHost vps383894.ovh.net:8180>
<Directory />
# add ip of JBoss nodes to join this proxy here
Require ip 127.0.0.1
#Require all granted
Allow from all
</Directory>
ServerAdvertise on
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
# add ip of clients allowed to access mod_cluster-manager
Require ip 127.0.0.1
#Require all granted
Allow from all
</Location>
</VirtualHost>
</IfModule>
I can access it at URL http://vps383894.ovh.net:8180/mod_cluster_manager
to check that mod_cluster is operational
2) Keycloak server
==================
On my server I have instaled keycloak
http://www.keycloak.org/docs/latest/server_installation/index.html#_examp...
route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
ifconfig lo multicast
The difference I have introduced
I have started it as ./standalone.sh -c standalone-ha.xml
-Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1
I have updated the xml as follows:
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp"
socket-binding="ajp"/>
<http-listener name="default"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="https"
socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="proxy-peer"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
<session-cookie name="AUTH_SESSION_ID"
http-only="true" />
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
</filters>
</subsystem>
changes:
2.1)
X-Forwarded-For AJP Config
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
...
<filter-ref name="proxy-peer"/>
</host>
</server>
...
<filters>
...
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
</filters>
</subsystem>
2.2)
servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true" />
...
</servlet-container>
3) Traces
=========
Now I try to access to http://vps383894.ovh.net:8180/auth to access to
teh keycloak authent URL
I obtain the following errors in apache module in error log trace
Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid
140195770410880] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid
140195770410880] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid
139634017527680] Advertise initialized for process 23736
[Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid
139634017527680] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final
OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid
139634017527680] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid
139634017527680] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is
a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid
140179862239104] Advertise initialized for process 25891
[Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid
140179862239104] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final
OpenSSL/1.0.2g configured -- resuming normal operations
[Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid
140179862239104] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid
140179444545280] [client 82.236.158.30:49992] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid
140179452937984] [client 82.236.158.30:49996] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid
140179461330688] [client 82.236.158.30:49998] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid
140179427759872] [client 82.236.158.30:50000] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid
140179452937984] [client 82.236.158.30:50002] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid
140179419367168] [client 82.236.158.30:50004] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid
140179385796352] [client 82.236.158.30:50014] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
WHat's going wrong ?
How is it possible to fix this ?
Regards,
Olivier
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
5:34 a.m.
!Found
It required to enable all the modules.
They are not enabled by default on ubuntu!!!!
sudo a2enmod proxy proxy_http proxy_ajp
Module proxy already enabled
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled
Considering dependency proxy for proxy_ajp:
Module proxy already enabled
Enabling module proxy_ajp.
To activate the new configuration, you need to run:
service apache2 restart
Regards,
Olivier
Le 13/02/2018 à 12:20, Olivier Rivat a écrit :
Configuring Keycloak With Modcluster in standalone h amode with wildfly
1) I am atrying to setup a cluster ins standalone mode with keycloak.
I have
-keycloak 3.4.3
-wildfly 11
-modcluster 1.3
1) mod_cluster
==============
I have configured on a unnutu distribution mod_cluster as follwos:
MemManagerFile cache/mod_cluster
<IfModule manager_module>
Listen 8180 http
<VirtualHost vps383894.ovh.net:8180>
<Directory />
# add ip of JBoss nodes to join this proxy here
Require ip 127.0.0.1
#Require all granted
Allow from all
</Directory>
ServerAdvertise on
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
# add ip of clients allowed to access mod_cluster-manager
Require ip 127.0.0.1
#Require all granted
Allow from all
</Location>
</VirtualHost>
</IfModule>
I can access it at URL
http://vps383894.ovh.net:8180/mod_cluster_manager to check that
mod_cluster is operational
2) Keycloak server
==================
On my server I have instaled keycloak
http://www.keycloak.org/docs/latest/server_installation/index.html#_examp...
route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
ifconfig lo multicast
The difference I have introduced
I have started it as ./standalone.sh -c standalone-ha.xml
-Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1
I have updated the xml as follows:
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp"
socket-binding="ajp"/>
<http-listener name="default"
socket-binding="http"
redirect-socket="https" enable-http2="true"/>
<https-listener name="https"
socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/"
handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="proxy-peer"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
<session-cookie name="AUTH_SESSION_ID"
http-only="true" />
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
</filters>
</subsystem>
changes:
2.1)
X-Forwarded-For AJP Config
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" socket-binding="ajp"/>
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
...
<filter-ref name="proxy-peer"/>
</host>
</server>
...
<filters>
...
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
</filters>
</subsystem>
2.2)
servlet-container name="default">
<session-cookie name="AUTH_SESSION_ID" http-only="true" />
...
</servlet-container>
3) Traces
=========
Now I try to access to http://vps383894.ovh.net:8180/auth to access to
teh keycloak authent URL
I obtain the following errors in apache module in error log trace
Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid
140195770410880] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid
140195770410880] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate
is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid
139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate
is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid
139634017527680] Advertise initialized for process 23736
[Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid
139634017527680] AH00489: Apache/2.4.18 (Ubuntu)
mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal
operations
[Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid
139634017527680] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid
139634017527680] AH00491: caught SIGTERM, shutting down
[Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate
is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid
140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate
is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid
140179862239104] Advertise initialized for process 25891
[Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid
140179862239104] AH00489: Apache/2.4.18 (Ubuntu)
mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal
operations
[Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid
140179862239104] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid
140179444545280] [client 82.236.158.30:49992] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid
140179452937984] [client 82.236.158.30:49996] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid
140179461330688] [client 82.236.158.30:49998] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid
140179427759872] [client 82.236.158.30:50000] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid
140179452937984] [client 82.236.158.30:50002] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid
140179419367168] [client 82.236.158.30:50004] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
[Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid
140179385796352] [client 82.236.158.30:50014] AH01144: No protocol
handler was valid for the URL /auth. If you are using a DSO version of
mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
WHat's going wrong ?
How is it possible to fix this ?
Regards,
Olivier
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
2522
days inactive
2522
days old
1 comments
1 participants
participants (1)
-
Olivier Rivat