I am working with wildfly undertow load balancer , and I added following configuration in standalone-load-balancer.xml but my request is not getting redirected?
I added reverse proxy handler and host to the Undertow subsystem as :
<handlers>
<reverse-proxy name="keycloak-handler">
<host name="keycloak-host" outbound-socket-binding="remote-host" path="/auth"/>
</reverse-proxy>
</handlers>
And then I defined outbound socket bindings for remote hosts as :
<outbound-socket-binding name="remote-host">
<remote-destination host="192.168.1.5" port="8443"/>
</outbound-socket-binding>
And then added the reverse proxy to a location as :
<host name="default-host">
<location name="/auth" handler="keycloak-handler"/>
<filter-ref name="load-balancer"/>
</host>
The mistake I was doing here is , my load balancer was with ssl enabled and I was communicating with keycloak via 8443 which expecting load balancer and keycloak both with same certificates. So to get rid off this , I have connected to keycloak via 8080 port and I have enabled ssl only with load balancer . So after changing below code it worked for me:
<outbound-socket-binding name="remote-host">
<remote-destination host="192.168.1.5" port="8080"/>
</outbound-socket-binding>
Related
Hi I am new to clustering concept, so I tried to establish a Tomcat cluster with 2 instances. I followed the examples, mainly at http://www.mulesoft.com/tcat/tomcat-clustering and few other web sources.
My sample set up is as,
in workers.properties
# Define worker names
worker.list=jkstatus, loadbalancer
# Create virtual workers
worker.jkstatus.type=status
worker.loadbalancer.type=lb
# Declare Tomcat server worker 1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=7009
# Declare Tomcat server worker 2
worker.worker2.type=ajp13
worker.worker2.port=9009
worker.worker2.host=localhost
# Associate real workers with virtual LoadBalancer worker
worker.loadbalancer.balance_workers=worker1,worker2
And Apache httpd.conf as,
# ADDED CLUSTER CONFIG
# Load module
LoadModule jk_module modules/mod_jk.so
# Specify path to worker configuration file
JkWorkersFile C:/tomcat_clustered/workers.properties
# Configure logging and memory
JkShmFile C:/tomcat_clustered/log/location/mod_jk.shm
JkLogFile C:/tomcat_clustered/log/location/mod_jk.log
JkLogLevel info
# Configure monitoring
JkMount /jkmanager/* jkstatus
<Location /jkmanager>
Order deny,allow
deny from all
allow from localhost
</Location>
# Configure applications
JkMount /* loadbalancer
# END CLUSTER CONFIG
With each tomcat(worker) server.xml as,
<Engine name="Catalina" defaultHost="localhost" jvmRoute="worker1">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- CLUSTER BEGIN -->
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster" channelSendOptions="8">
<Manager className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"/>
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<!---->
<Membership className="org.apache.catalina.tribes.membership.McastService"
address="239.0.0.1"
port="45564" frequency="500"
dropTime="3000"/>
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
</Sender>
<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto" port="4000" autoBind="100"
selectorTimeout="5000" maxThreads="6"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve" filter=""/>
<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
<ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
<!-- CLUSTER END -->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
For worker1, worker2. I am working on Windows 7. It looks like some multicast option is needed but I am not sure. On starting up of tomcat, one is starting well, and on starting second(say worker2) both tomcat console's are throwing errors as,
at org.apache.catalina.tribes.group.ChannelInterceptorBase.heartbeat(Cha
nelInterceptorBase.java:103)
at org.apache.catalina.tribes.group.GroupChannel.heartbeat(GroupChannel.
ava:155)
at org.apache.catalina.tribes.group.GroupChannel$HeartbeatThread.run(Gro
pChannel.java:690)
ep 15, 2014 10:11:03 AM org.apache.catalina.tribes.group.interceptors.TcpFailur
Detector memberAlive
EVERE: Unable to perform failure detection check, assuming member down.
ava.net.SocketException: Permission denied: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketI
pl.java:85)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.ja
a:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocket
mpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java
Not sure if its due to some multicast permissions on my Windows or any config related issues. Please suggest some good pointers in this regard
You need to enable multicast. see this post how to enable multicast is windows, https://serverfault.com/questions/262634/how-do-i-know-if-ip-multicasting-is-enabled-on-my-network-in-windows
In Linux Environment most of the system kernel is capable to process the multicast address.
but we need to add route entry in kernel routing table.
sudo route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
The error that you're reporting looks like it might be OS / networking related. Hard to say exactly. I can tell you this though.
You've declared a TcpFailureDetector.
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
This is part of Tomcat's cluster configuration and it's responsibility is to make a TCP connection to any node that is suspected of failure. If the listener can't connect to the node, it'll be marked as down. If it can connect, then the node remains active.
In this case, the listener is attempting to make a connection to one of your nodes and it's failing with an error from the JDK. Googling that specific error turns up some suggestions, one of which is to use "-Djava.net.preferIPv4Stack=true".
I get java.net.SocketException: Permission denied: connect when sending an email in Jenkins
On a separate note, if you've note seen the official documentation on Tomcat clustering, I would strongly recommend you check that out. Here's the link.
http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html
How do I force JBoss AS 7 to serve HTTPS content over TLS 1.0?
I am providing a Java application that uses Spring Security 3 to clients. It is hosted on JBoss AS 7. It can only be reached over a VPN, so I'm not too concerned with encryption at the application or transport layer. (Perhaps I should be?) When my users try to connect, browsers refuse the connection unless the user explicitly enables TLS 1.1 and TLS 1.2. Since my users aren't interested in these nuances, I would like to force JBoss to revert back to TLS 1.0.
How do I force JBoss AS 7 to serve HTTPS content over TLS 1.0?
My web domain setup is as follows:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">
<ssl password="myPassword" certificate-key-file="myKeyFile.jks" protocol="TLSv1" verify-client="false" certificate-file="myCertFile"/>
</connector>
My socket binding group is set up as follows:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
....
</socket-binding-group>
Thanks in advance.
See https://docs.jboss.org/jbossweb/7.0.x/config/ssl.html
You can force TLS by making use of the protocol attribute.
The version of the SSL protocol to use. If not specified, Supported values: SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL. the default is "ALL".
I have the following configuration of Jetty server inside my REST layer of Apache CXF JAX-RS:
<httpj:engine-factory bus="cxf">
<!--
you just need to specify the TLS Server configuration for the certain port
-->
<httpj:engine port="${port}">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="${keystorePassword}">
<sec:keyStore type="JKS"
password="${keystorePassword}"
file="${keystoreFile}"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS"
password="${keystorePassword}"
file="${bookshelf.portal.http.keystoreFile}"/>
</sec:trustManagers>
</httpj:tlsServerParameters>
<httpj:threadingParameters minThreads="5"
maxThreads="15" />
<httpj:sessionSupport>true</httpj:sessionSupport>
</httpj:engine>
</httpj:engine-factory>
I would like to configure Jetty to use ThrottlingFilter to throw HTTP 503 error upon a high load on server.
How do I do that?
We have a service on our 3rd party site which is configured to be invoked on a https (server to firewall and routing everything is configured for https)! Since We are unable to communicate with it due to certificate issue with DataPower on our side, we thought why not test the connectivity on http!
So now they trying to make the WCF Service as http on the same IP and port, they could see the Service not responding to inbound calls and ignoring the http request coming on a https configured IP + port!
I am not sure what can be done to say the .net WCF Service, hey ignore its on http and just get it rolling! They did disable https binding and just try with a http binding!
Any ideas would be great! Thanks!
(P.S. I dont have access to their code or config!)
Is is IIS hosted or self hosted?
If it is hosted in IIS, then IIS needs to have the SSL certificate removed and the configuration set to HTTP instead of HTTPS.
In WCF, you would have to disable Transport security, which is usually in the configuration on the binding, like:
<binding>
<security mode="Transport">
To disable HTTPS you would need to set mode="None" (or something other than Transport).
This worked for me... Adding this to webconfig or appconfig of the project
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
I am attempting to get SSL set up in JBoss Application Server 7. I want http and https so I added:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure ="true" socket- binding="https"/>
I created a jsse element as directed by https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration
Where do I put this jsse element in standalone.xml and how do I tie it to the https connector?
Okay, I figured it out after searching for "Jboss 7" and https together. http://community.jboss.org/message/625454
and
http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html were helpful resources.
A jsse element is not necessary in this case, all I needed to do was add
<ssl key-alias="<alias>" password="<password>" certificate-key-file="<path>" verify-client="true" ca-certificate-file="<path>"/>
Although there is a bug, https://issues.jboss.org/browse/AS7-1680, in which the value of ca-certificate-file is ignored. I order to get client authentication the truststore has to be passed a different way, either through standalone.conf or
<system-properties>
<property name="javax.net.ssl.trustStore" value="<path to truststore file>"/>
</system-properties>