2012-11-13 47 views
1

我使用mod_cluster 1.2作爲負載均衡器,JBoss AS7作爲節點。我在JBoss中配置了AJP連接器,並且mod_cluster與JBoss節點連接。mod_cluster當應用服務器註冊時,https重定向不起作用

我想達到以下, 客戶< --HTTPS - >平衡器< --AJP - > JBoss的

這裏是我的mod_cluster配置,

LoadModule actions_module modules/mod_actions.so 
LoadModule alias_module modules/mod_alias.so 
LoadModule asis_module modules/mod_asis.so 
LoadModule auth_basic_module modules/mod_auth_basic.so 
LoadModule authn_default_module modules/mod_authn_default.so 
LoadModule authn_file_module modules/mod_authn_file.so 
LoadModule authz_default_module modules/mod_authz_default.so 
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 
LoadModule authz_host_module modules/mod_authz_host.so 
LoadModule authz_user_module modules/mod_authz_user.so 
LoadModule autoindex_module modules/mod_autoindex.so 
LoadModule cgi_module modules/mod_cgi.so 
LoadModule dir_module modules/mod_dir.so 
LoadModule env_module modules/mod_env.so 
LoadModule include_module modules/mod_include.so 
LoadModule isapi_module modules/mod_isapi.so 
LoadModule log_config_module modules/mod_log_config.so 
LoadModule mime_module modules/mod_mime.so 
LoadModule negotiation_module modules/mod_negotiation.so 
LoadModule rewrite_module modules/mod_rewrite.so 
LoadModule setenvif_module modules/mod_setenvif.so 
LoadModule ssl_module modules/mod_ssl.so 

LoadModule proxy_module modules/mod_proxy.so 
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so 
LoadModule manager_module modules/mod_manager.so 
LoadModule slotmem_module modules/mod_slotmem.so 
LoadModule advertise_module modules/mod_advertise.so 

LogLevel debug 

ServerName localhost 

<IfModule manager_module> 
    Listen 127.0.0.1:6666 
    ManagerBalancerName mycluster 
    <VirtualHost 127.0.0.1:6666> 

    <Location /> 
    Order deny,allow 
    Allow from all 
    </Location> 

    <Location /mcm> 
     SetHandler mod_cluster-manager 
     Order deny,allow 
     Deny from all 
     Allow from 127.0.0 
    </Location> 

    KeepAliveTimeout 300 
    MaxKeepAliveRequests 0 
    AdvertiseFrequency 5 
    EnableMCPMReceive 

    </VirtualHost> 
</IfModule> 

Listen 80 
<VirtualHost *:80> 
RewriteEngine on 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] 
</VirtualHost> 

    Listen 443 
    <VirtualHost *:443> 
    <Location /> 
    Order deny,allow 
    Allow from all 
    </Location> 

    SSLEngine On 
    SSLCACertificateFile C:/work/certs/gs/root.pem 
    SSLCertificateChainFile C:/work/certs/gs/inter.pem 
    SSLCertificateFile C:/work/certs/gs/kc.pem 
    SSLCertificateKeyFile C:/work/certs/gs/key.key 

    </VirtualHost> 

當JBoss則不然註冊mod_cluster,我嘗試http://localhost它被重定向到https://localhost。但是,當JBoss節點註冊時,HTTPS重定向不起作用。它僅以HTTP模式打開頁面。請幫我解決這個問題。

編輯:

作爲每karm的建議我已經配置工人< --HTTPS - >平衡器配置。但效果仍然相同。當Jboss註冊到m_c時,重定向不起作用。

這裏是我的M_C配置,

LoadModule actions_module modules/mod_actions.so 
LoadModule alias_module modules/mod_alias.so 
LoadModule asis_module modules/mod_asis.so 
LoadModule auth_basic_module modules/mod_auth_basic.so 
LoadModule authn_default_module modules/mod_authn_default.so 
LoadModule authn_file_module modules/mod_authn_file.so 
LoadModule authz_default_module modules/mod_authz_default.so 
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 
LoadModule authz_host_module modules/mod_authz_host.so 
LoadModule authz_user_module modules/mod_authz_user.so 
LoadModule autoindex_module modules/mod_autoindex.so 
LoadModule cgi_module modules/mod_cgi.so 
LoadModule dir_module modules/mod_dir.so 
LoadModule env_module modules/mod_env.so 
LoadModule include_module modules/mod_include.so 
LoadModule isapi_module modules/mod_isapi.so 
LoadModule log_config_module modules/mod_log_config.so 
LoadModule mime_module modules/mod_mime.so 
LoadModule negotiation_module modules/mod_negotiation.so 
LoadModule rewrite_module modules/mod_rewrite.so 
LoadModule setenvif_module modules/mod_setenvif.so 
LoadModule ssl_module modules/mod_ssl.so 


LoadModule proxy_module modules/mod_proxy.so 
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so 
LoadModule manager_module modules/mod_manager.so 
LoadModule slotmem_module modules/mod_slotmem.so 
LoadModule advertise_module modules/mod_advertise.so 


ErrorLog "logs/error_log" 
LogLevel debug 


ServerName localhost 


Listen 8800 
<VirtualHost 127.0.0.1:8800> 
RewriteEngine on 
RewriteCond %{SERVER_PORT} !^8888$ 
RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI} 
</VirtualHost> 


<IfModule manager_module> 
    Listen 8888 
    ManagerBalancerName qacluster 
    <VirtualHost 127.0.0.1:8888> 
    <Directory /> 
     Order deny,allow 
     Deny from all 
     Allow from all 
    </Directory> 


    KeepAliveTimeout 300 
    MaxKeepAliveRequests 0 
    AdvertiseFrequency 5 
    EnableMCPMReceive 


    #ServerAdvertise on 
    #AdvertiseGroup 224.0.1.105:6666 


    <Location /mcm> 
     SetHandler mod_cluster-manager 
     Order deny,allow 
     Deny from all 
     Allow from all 
    </Location> 


    SSLEngine On 
    SSLCACertificateFile C:/work/certs/gs/gs_root.pem 
    SSLCertificateChainFile C:/work/certs/gs/gs_inter.pem 
    SSLCertificateFile C:/work/certs/gs/kc.pem 
    SSLCertificateKeyFile C:/work/certs/gs/kc.key 


    </VirtualHost> 
</IfModule> 

JBoss的配置,

<subsystem xmlns="urn:jboss:domain:modcluster:1.0"> 
     <mod-cluster-config proxy-list="127.0.0.1:8888" advertise="false" excluded-contexts="admin-console,invoker,jbossws,jmx-console,juddi,web-console"> 
      <ssl key-alias="1" password="changeit" certificate-key-file="C:\Users\jai\.keystore" ca-certificate-file="C:\work\certs\gs\ca.jks"/> 
     </mod-cluster-config> 
    </subsystem> 

後的JBoss與M_C本身不工作的鏈接http://localhost:8800/mcm註冊。

這裏是M_C的調試日誌,

[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy 
[Tue Nov 20 11:43:13 2012] [info] Loading certificate & private key of SSL-aware server 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required 
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits) 
[Tue Nov 20 11:43:13 2012] [info] Init: Generating temporary DH parameters (512/1024 bits) 
[Tue Nov 20 11:43:13 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] 
[Tue Nov 20 11:43:13 2012] [info] Init: Initializing (virtual) servers for SSL 
[Tue Nov 20 11:43:13 2012] [info] Configuring server for SSL protocol 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(601): Configuring client authentication 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate) 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate 
[Tue Nov 20 11:43:13 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key 
[Tue Nov 20 11:43:13 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r 
[Tue Nov 20 11:43:13 2012] [info] Init: Seeding PRNG with 0 bytes of entropy 
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required 
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits) 
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits) 
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL 
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate) 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key 
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r 
[Tue Nov 20 11:43:14 2012] [notice] Advertise initialized for process 6148 
[Tue Nov 20 11:43:14 2012] [notice] Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0g mod_cluster/1.2.0.Final configured -- resuming normal operations 
[Tue Nov 20 11:43:14 2012] [notice] Server built: Feb 9 2012 22:24:33 
[Tue Nov 20 11:43:14 2012] [notice] Parent: Created child process 5660 
[Tue Nov 20 11:43:14 2012] [debug] mpm_winnt.c(477): Parent: Sent the scoreboard to the child 
[Tue Nov 20 11:43:14 2012] [info] Init: Seeding PRNG with 0 bytes of entropy 
[Tue Nov 20 11:43:14 2012] [info] Loading certificate & private key of SSL-aware server 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required 
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits) 
[Tue Nov 20 11:43:14 2012] [info] Init: Generating temporary DH parameters (512/1024 bits) 
[Tue Nov 20 11:43:14 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] 
[Tue Nov 20 11:43:14 2012] [info] Init: Initializing (virtual) servers for SSL 
[Tue Nov 20 11:43:14 2012] [info] Configuring server for SSL protocol 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(601): Configuring client authentication 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate) 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate 
[Tue Nov 20 11:43:14 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key 
[Tue Nov 20 11:43:14 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r 
[Tue Nov 20 11:43:15 2012] [info] Init: Seeding PRNG with 0 bytes of entropy 
[Tue Nov 20 11:43:15 2012] [info] Loading certificate & private key of SSL-aware server 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required 
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits) 
[Tue Nov 20 11:43:15 2012] [info] Init: Generating temporary DH parameters (512/1024 bits) 
[Tue Nov 20 11:43:15 2012] [info] Init: Initializing (virtual) servers for SSL 
[Tue Nov 20 11:43:15 2012] [info] Configuring server for SSL protocol 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(601): Configuring client authentication 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(748): Configuring server certificate chain (1 CA certificate) 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(420): Configuring TLS extension handling 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(795): Configuring RSA server certificate 
[Tue Nov 20 11:43:15 2012] [debug] ssl_engine_init.c(834): Configuring RSA server private key 
[Tue Nov 20 11:43:15 2012] [info] mod_ssl/2.2.21 compiled against Server: Apache/2.2.21, Library: OpenSSL/0.9.8r 
[Tue Nov 20 11:43:15 2012] [debug] mod_advertise.c(577): [5660 - 6148] in child post config hook 
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Child process is running 
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(398): Child 5660: Retrieved our scoreboard from the parent. 
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 128 and sending it to child process 5660 
[Tue Nov 20 11:43:15 2012] [info] Parent: Duplicating socket 124 and sending it to child process 5660 
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(595): Parent: Sent 2 listeners to child 5660 
[Tue Nov 20 11:43:15 2012] [debug] mpm_winnt.c(554): Child 5660: retrieved 2 listeners from parent 
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 5660 for worker proxy:reverse 
[Tue Nov 20 11:43:15 2012] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 5660 for (*) min=0 max=64 smax=64 
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Acquired the start mutex. 
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting 64 worker threads. 
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8888. 
[Tue Nov 20 11:43:15 2012] [notice] Child 5660: Starting thread to listen on port 8800. 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(678): update_workers_node starting 
[Tue Nov 20 11:43:16 2012] [debug] mod_proxy_cluster.c(693): update_workers_node done 

回答

0

問題是與mod_cluster 1.2.0。我採用了最新的mod_cluster代碼並進行了編譯和使用。 HTTPS重定向像魅力一樣起作用。

0

好傢伙,這都是一個非常奇怪的配置...... SSLProxyVerify要求? Mod_cluster實際上是一個MITM攻擊:-)此外,對於Mod_cluster本身,SSL必須是On。看看:

1)工人節點可以註冊與平衡器。

2)連接固定:客戶端< --ssl - >平衡器< --ssl - >工人,雖然工人必須信任平衡器...

3)如訪問

http://localhost:8800/mcm 

被重定向到安全

https://localhost:8888/mcm 

我想這是你想要的嗎?

HTTPD

# mod_proxy_balancer should be disabled when mod_cluster is used 
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so 
LoadModule slotmem_module modules/mod_slotmem.so 
LoadModule manager_module modules/mod_manager.so 
LoadModule advertise_module modules/mod_advertise.so 

MemManagerFile /home/karm/httpd/logs 

Listen 8800 
<VirtualHost localhost:8800> 
RewriteEngine on 
RewriteCond %{SERVER_PORT} !^8888$ 
RewriteRule ^(.*) https://%{SERVER_NAME}:8888%{REQUEST_URI} 
</VirtualHost> 

<IfModule manager_module> 
    Listen 8888 
    ManagerBalancerName qacluster 
    <VirtualHost localhost:8888> 
    <Directory /> 
     Order deny,allow 
     Deny from all 
     Allow from all 
    </Directory> 

    ServerAdvertise on 
    EnableMCPMReceive 
    AdvertiseGroup 224.0.1.105:6666 

    <Location /mcm> 
     SetHandler mod_cluster-manager 
     Order deny,allow 
     Deny from all 
     Allow from all 
    </Location> 

    SSLEngine on 
    SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL 
    SSLVerifyDepth 10 
    SSLProxyEngine On 
    SSLCertificateKeyFile /home/karm/Server/server.key 
    SSLCertificateFile /home/karm/Server/server.crt 
    SSLCACertificateFile /home/karm/Server/myca.crt 
    LogLevel debug 

    </VirtualHost> 
</IfModule> 

AS7:

+++ 
<subsystem xmlns="urn:jboss:domain:web:1.2" default-virtual-server="default-host" native="false"> 
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> 
     <ssl name="https" key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false" certificate-file="/home/karm/Client/client-cert-key.jks" ca-certificate-file="/home/karm/Client/ca-cert.jks"/> 
    </connector> 
    <virtual-server name="default-host" enable-welcome-root="true"> 
     <alias name="localhost"/> 
     <alias name="example.com"/> 
    </virtual-server> 
</subsystem> 
+++ 
<subsystem xmlns="urn:jboss:domain:modcluster:1.1"> 
    <mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="https"> 
     <dynamic-load-provider history="10" decay="2"> 
      <load-metric type="busyness"/> 
     </dynamic-load-provider> 
     <ssl key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/home/karm/Client/ca-cert.jks"/> 
    </mod-cluster-config> 
</subsystem> 
+++ 

HTH

乾杯

編輯: 請注意,如果您只有https連接器,可能會發生此錯誤:https://issues.jboss.org/browse/JBPAPP-9493。如果不活動,客戶在一段時間後會收到幾個502錯誤。合理的解決方法是更改​​:Client<--SSL-->Balancer<--SSL-->WorkersClient<--SSL-->Balancer--AJP-->WorkerWorker--SSL-->Balancer

這是因爲添加AJP連接到AS7,例如: <connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp"/>

以及設置爲modcluster子系統簡單:

<mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="ajp">

+0

嗨,謝謝你的回答。不幸的是,它不適合我。我用當前的配置更新了我的問題。當JBoss worker用mod_clustered註冊時,重定向不起作用。請幫助。 – jaks