[JBoss JIRA] (MODCLUSTER-718) mod_cluster does not properly disable session stickiness
by Radoslav Husar (Jira)
[ https://issues.redhat.com/browse/MODCLUSTER-718?page=com.atlassian.jira.p... ]
Radoslav Husar updated MODCLUSTER-718:
--------------------------------------
Status: Resolved (was: Pull Request Sent)
Fix Version/s: 2.0.0.Alpha1
1.3.13.Final
Assignee: Jean-Frederic Clere (was: Dimitris Sartzetakis)
Resolution: Done
> mod_cluster does not properly disable session stickiness
> --------------------------------------------------------
>
> Key: MODCLUSTER-718
> URL: https://issues.redhat.com/browse/MODCLUSTER-718
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Affects Versions: 2.0.0.Alpha1, 1.3.12.Final
> Reporter: Aaron Ogburn
> Assignee: Jean-Frederic Clere
> Priority: Major
> Fix For: 2.0.0.Alpha1, 1.3.13.Final
>
>
> Disable sticky sessions on JBoss's mod-cluster-config:
> {code}
> <mod-cluster-config advertise-socket="modcluster" proxies="proxy1" sticky-session="false" connector="ajp">
> {code}
> But httpd/mod_cluster still maintains stickiness regardless.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 8 months
[JBoss JIRA] (MODCLUSTER-711) Using "connectorPort" property fails if multiple services are configured in Tomcat
by Radoslav Husar (Jira)
[ https://issues.redhat.com/browse/MODCLUSTER-711?page=com.atlassian.jira.p... ]
Radoslav Husar commented on MODCLUSTER-711:
-------------------------------------------
After looking more thoroughly at the code, the usage with multiple services works as expected. For example a config with multiple services each with one connector defined, no connectorPort/connectorAddress defined (thus *:* filters out the one connector configured for each service), registers both engines and both connectors with the proxy.
So the problem is that there is currently no way currently to exclude which service/engines to register with the proxy which is actually a feature request. It should be sufficient in this case to leverage connectorPort/connectorAddress to refine which connectors to use and which engines to register, so rather than throwing an exception, we could just exclude an engine without a configured connector.
While at it, the wording for "MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured." is a bit misleading, so that should be updated as well.
> Using "connectorPort" property fails if multiple services are configured in Tomcat
> ----------------------------------------------------------------------------------
>
> Key: MODCLUSTER-711
> URL: https://issues.redhat.com/browse/MODCLUSTER-711
> Project: mod_cluster
> Issue Type: Bug
> Components: Core & Container Integration (Java)
> Affects Versions: 1.4.0.Final
> Reporter: Tomas Briceno Fernandez
> Assignee: Radoslav Husar
> Priority: Major
> Fix For: 2.0.0.Alpha1, 1.4.2.Final
>
>
> If the Tomcat server configuration has several <service> elements and the mod_cluster listener is configured with *connectorPort* (most probably it is the same with *connectorAddress*), the configuration fails with these messages:
> {code}
> 06-Feb-2020 16:11:17.596 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.connectionEstablished MODCLUSTER000012: TestEngine connector will use /127.0.0.1
> 06-Feb-2020 16:11:17.598 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.establishJvmRoute MODCLUSTER000011: TestEngine will use 7bb39e02-96c0-3f8f-9fab-d464ad729cfe as jvm-route
> 06-Feb-2020 16:11:17.598 SEVERE [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren Exception invoking periodic operation:
> java.lang.RuntimeException: MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured.
> at org.jboss.modcluster.container.tomcat.ConfigurableProxyConnectorProvider.createProxyConnector(ConfigurableProxyConnectorProvider.java:89)
> at org.jboss.modcluster.container.tomcat.TomcatEngine.getProxyConnector(TomcatEngine.java:140)
> at org.jboss.modcluster.ModClusterService.connectionEstablished(ModClusterService.java:267)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:341)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:315)
> at org.jboss.modcluster.ModClusterService.status(ModClusterService.java:388)
> at org.jboss.modcluster.container.tomcat.TomcatEventHandlerAdapter.lifecycleEvent(TomcatEventHandlerAdapter.java:229)
> at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
> at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1174)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1396)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1368)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> My own code inspection suggests this is because of this loop :
> {code:title=org.jboss.modcluster.ModClusterService}
> @Override
> public void connectionEstablished(InetAddress localAddress) {
> for (Engine engine : this.server.getEngines()) {
> Connector connector = engine.getProxyConnector();
> InetAddress address = connector.getAddress();
> // Set connector address
> if ((address == null) || address.isAnyLocalAddress()) {
> connector.setAddress(localAddress);
> ModClusterLogger.LOGGER.detectConnectorAddress(engine, localAddress);
> }
> this.establishJvmRoute(engine);
> }
> this.established = true;
> }
> {code}
> The problem here is that the invocation of *engine.getProxyConnector()* will check if one and only one of the connectors in the engine matches the port configured by *connectorPort*. If more that one service is configured there will be multiple engines and this code will apply the previous condition to all of them. That is, to properly exit this method the port should exist in all engines, which will not happen normally.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 8 months
[JBoss JIRA] (MODCLUSTER-711) Using "connectorPort" property fails if multiple services are configured in Tomcat
by Radoslav Husar (Jira)
[ https://issues.redhat.com/browse/MODCLUSTER-711?page=com.atlassian.jira.p... ]
Radoslav Husar edited comment on MODCLUSTER-711 at 4/15/20 8:57 AM:
--------------------------------------------------------------------
After looking more thoroughly at the code, the usage with multiple services works as expected. For example a config with multiple services each with one connector defined, no connectorPort/connectorAddress defined (thus \*:\* filters out the one connector configured for each service), registers both engines and both connectors with the proxy.
So the problem is that there is currently no way currently to exclude which service/engines to register with the proxy which is actually a feature request. It should be sufficient in this case to leverage connectorPort/connectorAddress to refine which connectors to use and which engines to register, so rather than throwing an exception, we could just exclude an engine without a configured connector.
While at it, the wording for "MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured." is a bit misleading, so that should be updated as well.
was (Author: rhusar):
After looking more thoroughly at the code, the usage with multiple services works as expected. For example a config with multiple services each with one connector defined, no connectorPort/connectorAddress defined (thus *:* filters out the one connector configured for each service), registers both engines and both connectors with the proxy.
So the problem is that there is currently no way currently to exclude which service/engines to register with the proxy which is actually a feature request. It should be sufficient in this case to leverage connectorPort/connectorAddress to refine which connectors to use and which engines to register, so rather than throwing an exception, we could just exclude an engine without a configured connector.
While at it, the wording for "MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured." is a bit misleading, so that should be updated as well.
> Using "connectorPort" property fails if multiple services are configured in Tomcat
> ----------------------------------------------------------------------------------
>
> Key: MODCLUSTER-711
> URL: https://issues.redhat.com/browse/MODCLUSTER-711
> Project: mod_cluster
> Issue Type: Bug
> Components: Core & Container Integration (Java)
> Affects Versions: 1.4.0.Final
> Reporter: Tomas Briceno Fernandez
> Assignee: Radoslav Husar
> Priority: Major
> Fix For: 2.0.0.Alpha1, 1.4.2.Final
>
>
> If the Tomcat server configuration has several <service> elements and the mod_cluster listener is configured with *connectorPort* (most probably it is the same with *connectorAddress*), the configuration fails with these messages:
> {code}
> 06-Feb-2020 16:11:17.596 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.connectionEstablished MODCLUSTER000012: TestEngine connector will use /127.0.0.1
> 06-Feb-2020 16:11:17.598 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.establishJvmRoute MODCLUSTER000011: TestEngine will use 7bb39e02-96c0-3f8f-9fab-d464ad729cfe as jvm-route
> 06-Feb-2020 16:11:17.598 SEVERE [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren Exception invoking periodic operation:
> java.lang.RuntimeException: MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured.
> at org.jboss.modcluster.container.tomcat.ConfigurableProxyConnectorProvider.createProxyConnector(ConfigurableProxyConnectorProvider.java:89)
> at org.jboss.modcluster.container.tomcat.TomcatEngine.getProxyConnector(TomcatEngine.java:140)
> at org.jboss.modcluster.ModClusterService.connectionEstablished(ModClusterService.java:267)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:341)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:315)
> at org.jboss.modcluster.ModClusterService.status(ModClusterService.java:388)
> at org.jboss.modcluster.container.tomcat.TomcatEventHandlerAdapter.lifecycleEvent(TomcatEventHandlerAdapter.java:229)
> at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
> at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1174)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1396)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1368)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> My own code inspection suggests this is because of this loop :
> {code:title=org.jboss.modcluster.ModClusterService}
> @Override
> public void connectionEstablished(InetAddress localAddress) {
> for (Engine engine : this.server.getEngines()) {
> Connector connector = engine.getProxyConnector();
> InetAddress address = connector.getAddress();
> // Set connector address
> if ((address == null) || address.isAnyLocalAddress()) {
> connector.setAddress(localAddress);
> ModClusterLogger.LOGGER.detectConnectorAddress(engine, localAddress);
> }
> this.establishJvmRoute(engine);
> }
> this.established = true;
> }
> {code}
> The problem here is that the invocation of *engine.getProxyConnector()* will check if one and only one of the connectors in the engine matches the port configured by *connectorPort*. If more that one service is configured there will be multiple engines and this code will apply the previous condition to all of them. That is, to properly exit this method the port should exist in all engines, which will not happen normally.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 8 months
[JBoss JIRA] (MODCLUSTER-711) Using "connectorPort" property fails if multiple services are configured in Tomcat
by Radoslav Husar (Jira)
[ https://issues.redhat.com/browse/MODCLUSTER-711?page=com.atlassian.jira.p... ]
Radoslav Husar edited comment on MODCLUSTER-711 at 4/15/20 8:46 AM:
--------------------------------------------------------------------
[~tomas.briceno] I can reproduce the problem.
Can you elaborate what's the use case? The primary usage in mind was to create separate <Engine>s, rather than services. What's the expectation as to which service is supposed to be registered with the LB? And why is not a plurality of Engines used in this use case?
was (Author: rhusar):
[~tomas.briceno] I can reproduce the problem. It appears that mod_cluster has not really been designed around usage of multiple services. Can you elaborate what's the use case? The primary usage in mind was to create separate <Engine>s, rather than services. What's the expectation as to which service is supposed to be registered with the LB? And why is not a plurality of Engines used in this use case?
> Using "connectorPort" property fails if multiple services are configured in Tomcat
> ----------------------------------------------------------------------------------
>
> Key: MODCLUSTER-711
> URL: https://issues.redhat.com/browse/MODCLUSTER-711
> Project: mod_cluster
> Issue Type: Bug
> Components: Core & Container Integration (Java)
> Affects Versions: 1.4.0.Final
> Reporter: Tomas Briceno Fernandez
> Assignee: Radoslav Husar
> Priority: Major
> Fix For: 2.0.0.Alpha1, 1.4.2.Final
>
>
> If the Tomcat server configuration has several <service> elements and the mod_cluster listener is configured with *connectorPort* (most probably it is the same with *connectorAddress*), the configuration fails with these messages:
> {code}
> 06-Feb-2020 16:11:17.596 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.connectionEstablished MODCLUSTER000012: TestEngine connector will use /127.0.0.1
> 06-Feb-2020 16:11:17.598 INFO [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.jboss.modcluster.ModClusterService.establishJvmRoute MODCLUSTER000011: TestEngine will use 7bb39e02-96c0-3f8f-9fab-d464ad729cfe as jvm-route
> 06-Feb-2020 16:11:17.598 SEVERE [ContainerBackgroundProcessor[StandardEngine[TestEngine]]] org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren Exception invoking periodic operation:
> java.lang.RuntimeException: MODCLUSTER000047: No configured connector matches specified host:port (*:8081)! Ensure connectorPort and/or connectorAddress are configured.
> at org.jboss.modcluster.container.tomcat.ConfigurableProxyConnectorProvider.createProxyConnector(ConfigurableProxyConnectorProvider.java:89)
> at org.jboss.modcluster.container.tomcat.TomcatEngine.getProxyConnector(TomcatEngine.java:140)
> at org.jboss.modcluster.ModClusterService.connectionEstablished(ModClusterService.java:267)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:341)
> at org.jboss.modcluster.mcmp.impl.DefaultMCMPHandler.status(DefaultMCMPHandler.java:315)
> at org.jboss.modcluster.ModClusterService.status(ModClusterService.java:388)
> at org.jboss.modcluster.container.tomcat.TomcatEventHandlerAdapter.lifecycleEvent(TomcatEventHandlerAdapter.java:229)
> at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
> at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1174)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1396)
> at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1368)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> My own code inspection suggests this is because of this loop :
> {code:title=org.jboss.modcluster.ModClusterService}
> @Override
> public void connectionEstablished(InetAddress localAddress) {
> for (Engine engine : this.server.getEngines()) {
> Connector connector = engine.getProxyConnector();
> InetAddress address = connector.getAddress();
> // Set connector address
> if ((address == null) || address.isAnyLocalAddress()) {
> connector.setAddress(localAddress);
> ModClusterLogger.LOGGER.detectConnectorAddress(engine, localAddress);
> }
> this.establishJvmRoute(engine);
> }
> this.established = true;
> }
> {code}
> The problem here is that the invocation of *engine.getProxyConnector()* will check if one and only one of the connectors in the engine matches the port configured by *connectorPort*. If more that one service is configured there will be multiple engines and this code will apply the previous condition to all of them. That is, to properly exit this method the port should exist in all engines, which will not happen normally.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 8 months
[JBoss JIRA] (MODCLUSTER-714) support secret="secret" in AJP nodes
by Jean-Frederic Clere (Jira)
[ https://issues.redhat.com/browse/MODCLUSTER-714?page=com.atlassian.jira.p... ]
Jean-Frederic Clere commented on MODCLUSTER-714:
------------------------------------------------
[~rhusar] Nothing is needed on the java side, sending the secret in MCMP would defeat the propose of secret.
> support secret="secret" in AJP nodes
> ------------------------------------
>
> Key: MODCLUSTER-714
> URL: https://issues.redhat.com/browse/MODCLUSTER-714
> Project: mod_cluster
> Issue Type: Bug
> Components: Native (httpd modules)
> Reporter: Jean-Frederic Clere
> Assignee: Jean-Frederic Clere
> Priority: Major
> Fix For: 2.0.0.Alpha1, 1.3.13.Final
>
>
> The CVE-2020-1938 "mitigation" forces the use of a secret between httpd and the back-end.
> <Connector port = "8009"
> protocol = "AJP / 1.3"
> redirectPort = "8443"
> address = "YOUR_TOMCAT_IP_ADDRESS"
> requiredSecret = "YOUR_TOMCAT_AJP_SECRET" />
> Actually secret="secret" is support in mod_proxy_ajp but not in mod_cluster.
> That prevents use using the mitigation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 8 months