[jboss-jira] [JBoss JIRA] (WFLY-4730) Undertow mod_cluster proxy does not offer any Client HTTPS configuration
Kabir Khan (JIRA)
issues at jboss.org
Wed Dec 6 11:20:43 EST 2017
[ https://issues.jboss.org/browse/WFLY-4730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kabir Khan closed WFLY-4730.
----------------------------
> Undertow mod_cluster proxy does not offer any Client HTTPS configuration
> ------------------------------------------------------------------------
>
> Key: WFLY-4730
> URL: https://issues.jboss.org/browse/WFLY-4730
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 9.0.0.CR1, 10.0.0.Alpha2
> Reporter: Michal Karm Babacek
> Assignee: Stuart Douglas
> Priority: Blocker
> Fix For: 10.0.0.Alpha3
>
>
> Undertow mod_cluster proxy acts both as a *server* and as a *client* in relation to its workers.
> While the *server* configuration is quite straightforward:
> {code:xml}
> +++
> <system-properties>
> <property name="javax.net.ssl.trustStore" value="/vault/ca-cert.jks"/>
> <property name="javax.net.ssl.trustStorePassword" value="tomcat"/>
> </system-properties>
> +++
> <security-realm name="UndertowRealm">
> <server-identities>
> <ssl>
> <keystore path="/vault/server-cert-key.jks" keystore-password="tomcat" alias="javaserver" key-password="tomcat"/>
> </ssl>
> </server-identities>
> </security-realm>
> +++
> <https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
> +++
> {code}
> with having {{management-socket-binding="https"}} and {{advertise-protocol="https"}} set; it seems there is no way to configure certs and keys for the *client* role of the Undertow mod_cluster proxy implementation.
> With the current implementation, *worker* can connect to the Undertow mod_cluster proxy, i.e. it can send {{CONFIG}} and {{STATUS}} MCMP messages, but when the Undertow mod_cluster proxy needs to act as a *client*, sending {{STATUS-RSP}} message to the *worker*, it does not have the necessary HTTPS setup:
> {noformat}
> DEBUG [io.undertow] (default I/O-5) UT005055: HttpClientPingTask run for connection: https://192.168.0.122:8544/?#
> DEBUG [io.undertow.server.handlers.proxy.ProxyHandler] (default I/O-5) No proxy target for request to https://192.168.0.122:8443/
> DEBUG [io.undertow] (default task-7) UT005056: Received node load in STATUS message, node jvmRoute: worker-1, load: 80
> DEBUG [io.undertow.request] (default I/O-5) Failed to connect: java.io.IOException: UT000065: SSL must be specified to connect to a https URL
> at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:93)
> at io.undertow.client.UndertowClient.connect(UndertowClient.java:158)
> at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:233)
> at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:446)
> at io.undertow.server.handlers.proxy.mod_cluster.NodePingUtil$1.run(NodePingUtil.java:140)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)
> {noformat}
> The HTTPS communication between Undertow mod_cluster proxy and its workers needs to be bidirectional.
> If I'm just missing any obvious configuration option, please, shout, throw rocks and close this JIRA :)
> Thank you for your time looking into it.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list