[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-269) Workers register with balancer on any port it is listening on

Michal Babacek (Updated) (JIRA) jira-events at lists.jboss.org
Fri Dec 9 15:19:40 EST 2011 

     [ https://issues.jboss.org/browse/MODCLUSTER-269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michal Babacek updated MODCLUSTER-269:
--------------------------------------

    Summary: Workers register with balancer on any port it is listening on  (was: Workers register with balancer on any port it is listening to)

    
> Workers register with balancer on any port it is listening on
> -------------------------------------------------------------
>
>                 Key: MODCLUSTER-269
>                 URL: https://issues.jboss.org/browse/MODCLUSTER-269
>             Project: mod_cluster
>          Issue Type: Bug
>    Affects Versions: 1.1.3.Final
>         Environment: Mod_cluster 1.1.3.Final, x86_64
>            Reporter: Michal Babacek
>            Assignee: Michal Babacek
>              Labels: eap51, eap6, ews, mod_cluster
>
> With this setting on the httpd side:
> {code:title=conf/httpd.conf|borderStyle=solid|borderColor=#ccc| titleBGColor=#F7D6C1}
> #Enable mod_cluster manager
> <Location /mcm>
>     SetHandler mod_cluster-manager
>     Order deny,allow
>     Deny from all
>     #My machine..., NOT matching the worker node
>     Allow from 10.34.3.
> </Location>
> {code}
> {code:title=conf.d/modcluster.conf|borderStyle=solid|borderColor=#ccc| titleBGColor=#F7D6C1}
> Listen 8080
> Listen 6666
> LogLevel debug
> <VirtualHost perf08:6666>
>   ServerName perf08
>   KeepAlive Off
>   KeepAliveTimeout 60
>   MaxKeepAliveRequests 1
>   ManagerBalancerName qacluster
>   AdvertiseGroup 224.0.1.105:23364
>   ServerAdvertise On
>   AdvertiseFrequency 5
> </VirtualHost>
> {code}
> and this on AS7 (worker) side:
> {code:lang=xml|title=standalone-ha.xml|borderStyle=solid|borderColor=#ccc| titleBGColor=#F7D6C1}
>         <subsystem xmlns="urn:jboss:domain:modcluster:1.0">
>             <mod-cluster-config proxy-list="perf08:8080"/>
>         </subsystem>
> {code}
> we get the following behavior:
>  # I can access mod_cluster-manager web console from 10.34.3., it is not possible from the worker node (10.16.88.). Correct.
>  # Worker node (10.16.88.) *{color:red}is able to register{color}* itself with my *perf08* balancer on both the *perf08:6666* and *perf08:8080*.
>  # Even if I use some wild AJP port on the worker side, it self-configures with balancer (sending: "JVMRoute=perf04node&Host=perf04&Port=9989&Type=ajp" as a part of a CONFIG MCMP command.
>  # Worker access / context on my balancer, so filtering contexts is unlikely to by a convenient way of preventing undesired workers to connect.
> Here rises a question:
> How one actually prevent some unknown, wild worker nodes from registering their malicious context with my publicly exposed balancer, if I do not want to (e.g. performance reasons) use certificates for worker authentication?
> The question has risen during EC2 related talk with [~akostadinov]...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the mod_cluster-issues mailing list