Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-327

mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to workers

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • httpd 2.4.23 GA
    • mod_cluster-native
    • None

    Description

      Despite having H2 enabled in Undertow https connector, Apache HTTP Server with mod_proxy-cluster terminates H2, i.e.

      • client <--> httpd communication is H2
      • direct client <--> worker is H2
      • but when client is served by worker via httpd, HTTP 1.1 is used between httpd and workers: client <-H2> httpd <HTTP 1.1-> worker
      • from the client's point of view, H2 is used, but in fact, it is used just between client and balacer, not all the way to the worker

      From Wildfly Undertow access log:

      Accessed through httpd balacner:

      192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399
192.168.122.172 - "GET /clusterbench/requestinfo HTTP/1.1" 200 1399

      Balancer is checking worker's availablity:

      192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -
192.168.122.172 - "OPTIONS * HTTP/1.0" 200 -

      Accessed directly via browser, httpd balancer is skipped:
192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920
192.168.122.1   - "GET /clusterbench/requestinfo HTTP/2.0" 200 920

      Configuration

      conf.modules.d/00-proxy.conf

      LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so

      conf.d/mod_cluster.conf

      LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so
LoadModule http2_module modules/mod_http2.so

MemManagerFile /tmp/mod_cluster-eapx/jbcs-httpd24-2.4/httpd/cache/mod_cluster

ServerName rhel7GAx86-64:2080
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLHonorCipherOrder On
    SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
    SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLVerifyClient optional
    SSLProxyVerify optional
    SSLProxyEngine On
    SSLVerifyDepth 10
    SSLProxyVerifyDepth 10
    SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
    SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLProxyProtocol All -SSLv2 -SSLv3

EnableOptions  
LogLevel debug
<IfModule manager_module>
Listen 192.168.122.172:8747
 <VirtualHost 192.168.122.172:8747>
    <Directory />
Require all granted
    </Directory>
    ServerAdvertise on
    EnableMCPMReceive
<Location /mcm>
      SetHandler mod_cluster-manager
Require all granted
   </Location>
AdvertiseGroup 224.0.5.172:62844
AdvertiseBindAddress 192.168.122.172:62844
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCipherSuite "HIGH MEDIUM !LOW"
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLHonorCipherOrder On
    SSLCertificateFile /opt/noe-tests/resources/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/noe-tests/resources/ssl/proper/server.key
    SSLCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLVerifyClient optional
    SSLProxyVerify optional
    SSLProxyEngine On
    SSLVerifyDepth 10
    SSLProxyVerifyDepth 10
    SSLProxyMachineCertificateFile /opt/noe-tests/resources/ssl/proper/client.pem
    SSLProxyCACertificateFile /opt/noe-tests/resources/ssl/proper/myca.crt
    SSLProxyProtocol All -SSLv2 -SSLv3

Protocols h2
ProtocolsHonorOrder on
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
ManagerBalancerName qacluster

</VirtualHost>
</IfModule>

      Mod_cluster subsystem

      MCMP uses HTTP 1/1 (https), becasue at the moment, one cannot make it to use wildfly-openssl provider: JBEAP-9688

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. MODCLUSTER-578 mod_proxy_cluster terminates HTTP/2 and talks HTTP/1.1 (https) to WildFly/Tomcat workers

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rhn-engineering-jclere Jean-Frederic Clere
              mbabacek1@redhat.com Michal Karm
              Michal Karm Michal Karm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: