[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-578) mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to Wildfly workers

Michal Karm Babacek (JIRA) issues at jboss.org
Fri Apr 7 09:11:00 EDT 2017 

Michal Karm Babacek created MODCLUSTER-578:
----------------------------------------------

             Summary: mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to Wildfly workers
                 Key: MODCLUSTER-578
                 URL: https://issues.jboss.org/browse/MODCLUSTER-578
             Project: mod_cluster
          Issue Type: Bug
          Components: Native (httpd modules)
    Affects Versions: 1.3.6.Final
            Reporter: Michal Karm Babacek
            Assignee: Jean-Frederic Clere
            Priority: Blocker


Despite having H2 enabled in Undertow https connector, Apache HTTP Server with mod_proxy-cluster terminates H2, i.e.

 * client <--> httpd communication is H2
 * direct client <--> worker is H2
 * but when client is served by worker via httpd, HTTP 1.1 is used between httpd and workers: client <--H2--> httpd <--HTTP 1.1--> worker
 * from the client's point of view, H2 is used, but in fact, it is used just between client and balacer, not all the way to the worker

h3. From Wildfly Undertow access log:
Accessed through httpd balacner:
{code}
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
{code}
Balancer is checking worker's availablity:
{code}
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
{code}
{code}
Accessed directly via browser, httpd balancer is skipped:
192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
{code}

h3. Configuration
h4. conf.modules.d/00-proxy.conf
{code}
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
{code}
h4. conf.d/mod_cluster.conf
{code}
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
LoadModule http2_module modules/mod_http2.so

MemManagerFile /tmp/mod_cluster-eapx/jbcs-httpd24-2.4/httpd/cache/mod_cluster

ServerName rhel7GAx86-64:2080
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLHonorCipherOrder On
    SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
    SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLVerifyClient optional
    SSLProxyVerify optional
    SSLProxyEngine On
    SSLVerifyDepth 10
    SSLProxyVerifyDepth 10
    SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
    SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLProxyProtocol All -SSLv2 -SSLv3

EnableOptions  
LogLevel debug
<IfModule manager_module>
Listen 192.168.122.172:8747
 <VirtualHost 192.168.122.172:8747>
    <Directory />
Require all granted
    </Directory>
    ServerAdvertise on
    EnableMCPMReceive
<Location /mcm>
      SetHandler mod_cluster-manager
Require all granted
   </Location>
AdvertiseGroup 224.0.5.172:62844
AdvertiseBindAddress 192.168.122.172:62844
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLHonorCipherOrder On
    SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
    SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLVerifyClient optional
    SSLProxyVerify optional
    SSLProxyEngine On
    SSLVerifyDepth 10
    SSLProxyVerifyDepth 10
    SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
    SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLProxyProtocol All -SSLv2 -SSLv3

Protocols h2
ProtocolsHonorOrder on
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
ManagerBalancerName qacluster

</VirtualHost>
</IfModule> 
{code}

h3. Mod_cluster subsystem
MCMP uses HTTP 1/1 (https), becasue at the moment, one cannot make it to use wildfly-openssl provider: JBEAP-9688



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the mod_cluster-issues mailing list