[JBoss JIRA] (MODCLUSTER-579) mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to Wildfly workers
by Michal Karm Babacek (JIRA)
Michal Karm Babacek created MODCLUSTER-579:
----------------------------------------------
Summary: mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to Wildfly workers
Key: MODCLUSTER-579
URL: https://issues.jboss.org/browse/MODCLUSTER-579
Project: mod_cluster
Issue Type: Bug
Components: Native (httpd modules)
Affects Versions: 1.3.6.Final
Reporter: Michal Karm Babacek
Assignee: Jean-Frederic Clere
Priority: Critical
Despite having H2 enabled in Undertow https connector, Apache HTTP Server with mod_proxy-cluster terminates H2, i.e.
* client <--> httpd communication is H2
* direct client <--> worker is H2
* but when client is served by worker via httpd, HTTP 1.1 is used between httpd and workers: client <--H2--> httpd <--HTTP 1.1--> worker
* from the client's point of view, H2 is used, but in fact, it is used just between client and balacer, not all the way to the worker
h3. From Wildfly Undertow access log:
Accessed through httpd balacner:
{code}
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
{code}
Balancer is checking worker's availablity:
{code}
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
{code}
{code}
Accessed directly via browser, httpd balancer is skipped:
192.168.122.1 - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
192.168.122.1 - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
{code}
h3. Configuration
h4. conf.modules.d/00-proxy.conf
{code}
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
{code}
h4. conf.d/mod_cluster.conf
{code}
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
LoadModule http2_module modules/mod_http2.so
MemManagerFile /tmp/mod_cluster-eapx/jbcs-httpd24-2.4/httpd/cache/mod_cluster
ServerName rhel7GAx86-64:2080
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite "HIGH MEDIUM !LOW"
SSLProxyCipherSuite "HIGH MEDIUM !LOW"
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLHonorCipherOrder On
SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
SSLVerifyClient optional
SSLProxyVerify optional
SSLProxyEngine On
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
SSLProxyProtocol All -SSLv2 -SSLv3
EnableOptions
LogLevel debug
<IfModule manager_module>
Listen 192.168.122.172:8747
<VirtualHost 192.168.122.172:8747>
<Directory />
Require all granted
</Directory>
ServerAdvertise on
EnableMCPMReceive
<Location /mcm>
SetHandler mod_cluster-manager
Require all granted
</Location>
AdvertiseGroup 224.0.5.172:62844
AdvertiseBindAddress 192.168.122.172:62844
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite "HIGH MEDIUM !LOW"
SSLProxyCipherSuite "HIGH MEDIUM !LOW"
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLHonorCipherOrder On
SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
SSLVerifyClient optional
SSLProxyVerify optional
SSLProxyEngine On
SSLVerifyDepth 10
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
SSLProxyProtocol All -SSLv2 -SSLv3
Protocols h2
ProtocolsHonorOrder on
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
ManagerBalancerName qacluster
</VirtualHost>
</IfModule>
{code}
h3. Mod_cluster subsystem
MCMP uses HTTP 1/1 (https), becasue at the moment, one cannot make it to use wildfly-openssl provider: JBEAP-9688
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)