Apache和JBoss之间的SSL

Question

我们有下一个配置：

• 一台版本为2.2.14的apache服务器。

• 在域模式下，两个JBoss Application Server版本为7.1.1的应用程序服务器。

我们配置了虚拟主机，并且mod_cluster可以毫无问题地发现应用程序服务器，但是当我添加ssl的配置时，mod_cluster无法发现应用程序服务器。

文件httpd-vhosts.conf是：

Listen <ip>:10001
MemManagerFile /var/cache/httpd
<VirtualHost <ip>:10001>
ErrorLog "/usr/IBMAHS/logs/error_ssl_log"
TransferLog "/usr/IBMAHS/logs/access_ssl_log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/IBMAHS/pki/file.com.crt"
SSLCertificateKeyFile "/usr/IBMAHS/pki/file.com.key"
<Directory />
Order deny,allow
Allow from all
</Directory>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ManagerBalancerName other-server-group_d
ServerAdvertise On
AdvertiseFrequency 5
#EnableMCPMReceive
#This directive allows you to view mod_cluster status at URL http://<ip>:10001/mod_cluster-manager
<Location /mod_cluster-manager>
SetHandler mod_cluster-manager
Order deny,allow
Allow from all
</Location>
</VirtualHost>

谁能帮我？

Answer 1

我假设您想安装并运行此设置：

clients <-- SSL --> balancer <-- SSL --> AS7 workers

并且您意识到其严重的性能缺陷

balancer <-- SSL --> AS7 workers

部分。 以下设置可行，但必须意识到以下事实：客户端与AS7 Worker之间的连接不透明，并且平衡器的行为或多或少地像中间人。 如果客户信任平衡器，平衡器信任工作人员，而工人也信任平衡器，那一切都很好。

在这里，您兄弟：

带有mod_cluster的Apache HTTP Server

MemManagerFile "/opt/httpd/cache/mod_cluster"
ServerName 10.16.94.122:2181

<IfModule manager_module>
  Listen 10.16.94.122:8847
  # As soon as it works, remove/change this...
  LogLevel debug
  <VirtualHost 10.16.94.122:8847>
    ServerName 10.16.94.122:8847
    <Directory />
      Order deny,allow
      Deny from all
      # Obviously, testing purposes...
      Allow from all
    </Directory>
    KeepAliveTimeout 60
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    ManagerBalancerName qacluster
    AdvertiseGroup 224.0.5.188:23364
    EnableMCPMReceive
    SSLEngine on
    SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
    SSLCertificateFile /opt/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/ssl/proper/server.key
    SSLCACertificateFile /opt/ssl/proper/myca.crt
    #SSLVerifyClient require
    #SSLProxyVerify require
    SSLProxyEngine On
    SSLVerifyDepth 10
    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      # Obviously, testing purposes...
      Allow from all
    </Location>
  </VirtualHost>
</IfModule>

AS7工作程序standalone-ha.xml也可以应用于适当的域中：

AS7工人

+++
</extensions>
<system-properties>
<property name="javax.net.ssl.trustStore" value="/opt/ssl/proper/client-cert-key.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="you-shall-never-know"/>
</system-properties>
<management>
+++
</management>
<profile>
+++
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="https">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
<ssl key-alias="javaclient" password="you-shall-never-know" certificate-key-file="/opt/ssl/proper/client-cert-key.jks"
     cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/opt/ssl/proper/ca-cert.jks"/>
</mod-cluster-config>
</subsystem>
+++
<subsystem xmlns="urn:jboss:domain:web:1.5" native="false">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" enabled="true">
<ssl name="https" key-alias="javaclient" password="you-shall-never-know" certificate-key-file="/opt/ssl/proper/client-cert-key.jks"
     cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false"
     certificate-file="/opt/ssl/proper/client-cert-key.jks" ca-certificate-file="/opt/ssl/proper/ca-cert.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
+++
</profile>
<interfaces>
+++
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+++
<socket-binding name="https" port="8443"/>
+++
<socket-binding name="modcluster" port="0" multicast-address="224.0.5.188" multicast-port="23364"/>
+++

让我们知道它是否适合您。 将来，您实际上可能直接针对JBoss mod_cluster论坛：-)

Answer 2

您是否有独立（非集群）示例配置？