[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-578) mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to WildFly workers

Michal Karm Babacek (JIRA) issues at jboss.org
Fri Jun 8 02:44:00 EDT 2018 

     [ https://issues.jboss.org/browse/MODCLUSTER-578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michal Karm Babacek updated MODCLUSTER-578:
-------------------------------------------
    Affects Version/s: 1.3.8.Final


> mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to WildFly workers
> ---------------------------------------------------------------------------------
>
>                 Key: MODCLUSTER-578
>                 URL: https://issues.jboss.org/browse/MODCLUSTER-578
>             Project: mod_cluster
>          Issue Type: Bug
>          Components: Native (httpd modules)
>    Affects Versions: 1.3.6.Final, 1.3.8.Final
>            Reporter: Michal Karm Babacek
>            Assignee: Jean-Frederic Clere
>            Priority: Critical
>
> Despite having H2 enabled in Undertow https connector, Apache HTTP Server with mod_proxy-cluster terminates H2, i.e.
>  * client <--> httpd communication is H2
>  * direct client <--> worker is H2
>  * but when client is served by worker via httpd, HTTP 1.1 is used between httpd and workers: client <--H2--> httpd <--HTTP 1.1--> worker
>  * from the client's point of view, H2 is used, but in fact, it is used just between client and balacer, not all the way to the worker
> h3. From Wildfly Undertow access log:
> Accessed through httpd balacner:
> {code}
> 192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
> 192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
> 192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
> 192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
> {code}
> Balancer is checking worker's availablity:
> {code}
> 192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
> 192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
> 192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
> 192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
> {code}
> {code}
> Accessed directly via browser, httpd balancer is skipped:
> 192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
> 192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
> {code}
> h3. Configuration
> h4. conf.modules.d/00-proxy.conf
> {code}
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_connect_module modules/mod_proxy_connect.so
> LoadModule proxy_express_module modules/mod_proxy_express.so
> LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
> LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
> LoadModule proxy_http2_module modules/mod_proxy_http2.so
> {code}
> h4. conf.d/mod_cluster.conf
> {code}
> LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
> LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
> LoadModule manager_module modules/mod_manager.so
> LoadModule advertise_module modules/mod_advertise.so
> LoadModule http2_module modules/mod_http2.so
> MemManagerFile /tmp/mod_cluster-eapx/jbcs-httpd24-2.4/httpd/cache/mod_cluster
> ServerName rhel7GAx86-64:2080
>     SSLEngine on
>     SSLProtocol All -SSLv2 -SSLv3
>     SSLCipherSuite "HIGH MEDIUM !LOW"
>     SSLProxyCipherSuite "HIGH MEDIUM !LOW"
>     SSLProxyCheckPeerCN Off
>     SSLProxyCheckPeerName Off
>     SSLHonorCipherOrder On
>     SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
>     SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
>     SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
>     SSLVerifyClient optional
>     SSLProxyVerify optional
>     SSLProxyEngine On
>     SSLVerifyDepth 10
>     SSLProxyVerifyDepth 10
>     SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
>     SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
>     SSLProxyProtocol All -SSLv2 -SSLv3
> EnableOptions  
> LogLevel debug
> <IfModule manager_module>
> Listen 192.168.122.172:8747
>  <VirtualHost 192.168.122.172:8747>
>     <Directory />
> Require all granted
>     </Directory>
>     ServerAdvertise on
>     EnableMCPMReceive
> <Location /mcm>
>       SetHandler mod_cluster-manager
> Require all granted
>    </Location>
> AdvertiseGroup 224.0.5.172:62844
> AdvertiseBindAddress 192.168.122.172:62844
>     SSLEngine on
>     SSLProtocol All -SSLv2 -SSLv3
>     SSLCipherSuite "HIGH MEDIUM !LOW"
>     SSLProxyCipherSuite "HIGH MEDIUM !LOW"
>     SSLProxyCheckPeerCN Off
>     SSLProxyCheckPeerName Off
>     SSLHonorCipherOrder On
>     SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
>     SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
>     SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
>     SSLVerifyClient optional
>     SSLProxyVerify optional
>     SSLProxyEngine On
>     SSLVerifyDepth 10
>     SSLProxyVerifyDepth 10
>     SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
>     SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
>     SSLProxyProtocol All -SSLv2 -SSLv3
> Protocols h2
> ProtocolsHonorOrder on
> KeepAliveTimeout 60
> MaxKeepAliveRequests 0
> ServerAdvertise on
> AdvertiseFrequency 5
> ManagerBalancerName qacluster
> </VirtualHost>
> </IfModule> 
> {code}
> h3. Mod_cluster subsystem
> MCMP uses HTTP 1/1 (https), becasue at the moment, one cannot make it to use wildfly-openssl provider: JBEAP-9688



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the mod_cluster-issues mailing list