Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.0.0.DR9
Affects Version/s: 7.0.0.DR2
Component/s: Undertow
Labels:
- mod_cluster

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.0.0.GA
Steps to Reproduce:

Hide

Try to configure bidirectional HTTPS communication between Undertow mod_cluster proxy and its workers.

Show
Try to configure bidirectional HTTPS communication between Undertow mod_cluster proxy and its workers.

SFDC Cases Counter:
SFDC Cases Links:

Undertow mod_cluster proxy acts both as a server and as a client in relation to its workers.

While the server configuration is quite straightforward:

+++
<system-properties>
    <property name="javax.net.ssl.trustStore" value="/vault/ca-cert.jks"/>
    <property name="javax.net.ssl.trustStorePassword" value="tomcat"/>
</system-properties>
+++
<security-realm name="UndertowRealm">
    <server-identities>
        <ssl>
            <keystore path="/vault/server-cert-key.jks"  keystore-password="tomcat" alias="javaserver" key-password="tomcat"/>
        </ssl>
    </server-identities>
</security-realm>
+++
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm"/>
+++

with having management-socket-binding="https" and advertise-protocol="https" set; it seems there is no way to configure certs and keys for the client role of the Undertow mod_cluster proxy implementation.

With the current implementation, worker can connect to the Undertow mod_cluster proxy, i.e. it can send CONFIG and STATUS MCMP messages, but when the Undertow mod_cluster proxy needs to act as a client, sending STATUS-RSP message to the worker, it does not have the necessary HTTPS setup:

DEBUG [io.undertow] (default I/O-5) UT005055: HttpClientPingTask run for connection: https://192.168.0.122:8544/?#
DEBUG [io.undertow.server.handlers.proxy.ProxyHandler] (default I/O-5) No proxy target for request to https://192.168.0.122:8443/
DEBUG [io.undertow] (default task-7) UT005056: Received node load in STATUS message, node jvmRoute: worker-1, load: 80
DEBUG [io.undertow.request] (default I/O-5) Failed to connect: java.io.IOException: UT000065: SSL must be specified to connect to a https URL
    at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:93)
    at io.undertow.client.UndertowClient.connect(UndertowClient.java:158)
    at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:233)
    at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:446)
    at io.undertow.server.handlers.proxy.mod_cluster.NodePingUtil$1.run(NodePingUtil.java:140)
    at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)

The HTTPS communication between Undertow mod_cluster proxy and its workers needs to be bidirectional.

If I'm just missing any obvious configuration option, please, shout, throw rocks and close this JIRA

Thank you for your time looking into it.

is cloned by

WFLY-4730 Undertow mod_cluster proxy does not offer any Client HTTPS configuration

Closed

Assignee:: Michal Karm

Reporter:: Michal Karm

Tester:: Michal Karm

QA Contact:: Michal Karm

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2015/05/30 11:50 AM

Updated:: 2020/09/14 5:40 AM

Resolved:: 2015/07/30 7:28 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates