We Keep Coding

Connecting apache and Widfly using mod_cluster

I am trying to setup mod_cluster as a reverse proxy for Wildfly 9. When I use http as a protocol (between mod_cluster and Wildfly), everything works just fine (forwarding requests to application server and detecting server).
My problems come up when I try to wire mod_cluster and wildfly using ajp as a protocol. I checked mod_cluster-manager and it seemed that
mod_cluster was connected to wildfly, but it couldn't forward
requests to application server.
I have the following configuration:
http server: Apache/2.4.18 (Ubuntu)
application server: Wildfly 9.0.2
mod_cluster: 1.3
mod_cluster.conf
PersistSlots on
CreateBalancers 1
MemManagerFile /opt/mod_cluster/logs
EnableOptions
AllowDisplay On
AllowCmd On
WaitForRemove 1
UseAlias 1
ServerAdvertise Off
Listen *:5555
<VirtualHost *:5555>
<Directory />
Order deny,allow
Allow from 192.168.0.71
Allow from 192.168.0.71
Allow from 127
Require all granted
</Directory>
<Location /mcm>
SetHandler mod_cluster-manager
Allow from 192.168
Allow from all
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
ManagerBalancerName mycluster
#AdvertiseFrequency 5
EnableMCPMReceive
</VirtualHost>
<VirtualHost *:80>
ServerName my-app.org
ServerAlias my-app.org
ErrorLog /var/log/apache2/user.error.log
LogLevel warn
CustomLog /var/log/apache2/my_app.access.log combined
ServerSignature On
Redirect "/" https://my-app.org
ProxyPreserveHost On
SSLProxyEngine On
ProxyPreserveHost On
#ProxyPass /_error !
#ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=on
#ProxyPassReverse / balancer://mycluster
<Location />
Order deny,allow
Allow from all
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName my-app.org
ServerAlias my-app.org
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
ErrorLog /var/log/apache2/user.ssl.error.log
LogLevel warn
CustomLog /var/log/apache2/my_app.ssl.access.log combined
ServerSignature On
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass /_error !
ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=on
ProxyPassReverse / balancer://mycluster
<Location />
Order deny,allow
Allow from all
</Location>
</VirtualHost>
Wildfly Configuration (relevant fragments):
mod_cluster subsystem:
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster"
proxies="mc-prox1"
advertise="false"
sticky-session-force="true" load-balancing-group="mycluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
outbound-socket-binding:
<outbound-socket-binding name="mc-prox1">
<remote-destination host="192.168.0.71" port="5555"/>
</outbound-socket-binding>
[EDIT]
I should have included ajp configuration:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:1500}">
<socket-binding name="ajp" port="${jboss.ajp.port:0}" />
.......
</socket-binding-group>
[EDIT2]
When I set ajp port to 8009, it works. I want to use custom port number.
Does anyone have a clue how to do it?

It turned out I had the wrong binaries :/. After replacing them with the ones from the offical website, I managed to connect Wildfly with apache through AJP.

mod_cluster widfly 9 and client certificate 2 way SSL

I have one problem when i am configuring 2 way SSL (client certificate) with mod_cluster on wildfly 9.0.2
-Direct connection on wildfly on port 8443 (like https://wildflyserver:8443/context) is working,
-AJP connector connection between apache and wildfly and mod_cluster is not working
-There is no HTTPS connector ?
<mod-cluster-config advertise-socket="modcluster" proxies="mc-proxy1" advertise="false" connector="http-default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
<ssl key-alias="aofweb" password="XXXXXX" certificate-key-file="${jboss.domain.config.dir}/keystoreWeb.jks" cipher-suite="ALL" protocol="TLSv1" ca-certificate-file="${jboss.domain.config.dir}/keystoreWeb.jks"/>
</mod-cluster-config>
-When i am using http redirect to https with web.xml configuration and redirect-socket binding the URL changes from https://apacheserver/context to https://wildflyserver:8443/context, if i had a directive preserveProxyhost it does'nt work too,
anybody have a solution ?

i manage to do it , i configure "ajp" connection , in listener scheme https,
in case of in httpd listener certificate-forwarding=true and redirection on https,
in web.xml auth-method to CLIENT-CERT and transport-guarantee to CONFIDENTIAL,
and then the most important in apache, client verification mandatory and forward cert data :
SSLHonorCipherOrder on
SSLVerifyClient require
SSLVerifyDepth 10
#THE CA USED TO GENERATE CLIENT CERTIFICATE
SSLCACertificateFile /etc/httpd/certs/cacert.pem
SSLOptions +ExportCertData
SSLOptions +StdEnvVars
Require all granted
tell me if you have problem :
widlfy 9.0
apache 2.4
mod_proxy_ajp
mod_ssl
mod_proxy
modcluster 1.3.1

Tuleap unable to upload file

I have installed tuleap on centos 6.7 and having trouble to properly configure tuleap in following scenario. I have gone though the documentation and mailing list archives but didn't find the solution.
have ubuntu server with static ip address XXX.XXX.XXX.XXX accessible from outside
on the above server I have installed virtualbox and installed centos 6.7 + tuleap (local ip address YYY.YYY.YYY.YYY which is accessible from above ubuntu server only)
I have setup ProxyPass and ProxyPassReverse on ubuntu server which works fine:
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
All features are working fine except when I try to upload the files. I see two issues:
When I try to upload file in "Document", I see below messages:
“Permissions successfully updated.
Document successfully created.
Error while creating initial version.”
But when I check apache error log I see that Docman_FileStorage.class.php tries to create file in the root directory i.e. something like /testproject/3/6/36/1 and hence get permission denied error. I am checking local.inc file but wondering where I have to set base path for storing documents?
I see another issue while attaching file to wiki pages. When I hit “Upload” button, the url mysite.domain.com get transferred to YYY.YYY.YYY.YYY ip address! BUT as the YYY.YYY.YYY.YYY is virtual machine ip address and not accessible from outside, I get page not found error. Could you tell me what might be missing? My proxy-pass apache setting looks like:
<VirtualHost *:80>
ServerName mysite.domain.com
ServerAlias *.mysite.domain.com
ProxyRequests off
ProxyPreserveHost off
SSLProxyEngine On
SSLProxyVerify none
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
</VirtualHost>
# Listen 443
<VirtualHost mysite.domain.com:443>
ServerName mysite.domain.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine On
SSLProxyVerify none
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/my.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.key
ProxyRequests off
ProxyPreserveHost off
ProxyPass / https://YYY.YYY.YYY.YYY/
ProxyPassReverse / https://YYY.YYY.YYY.YYY/
</VirtualHost>
Any help to solve above issues will be appreciated.
Thanks!

I would suggest to look at selinux first.
Please try to run setenforce 0 on the centos box and try to create documents again. If that solve the problem, set selinux to permissive.

Load balancing in mod cluster is not working

I have Jboss server in Linux boxes. And I configured apache server in windows machine. I am able to see all the jboss server nodes in my modcluster manager console.
I have deployed one camel application on all the jboss servers. And I have done the performance test with 2,4,6 nodes. But there is no performance difference.......
Find the jboss configuration
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config proxy-list="x.x.x.x:6666" advertise="false">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
For parallel execution of nodes, whether I have to do any other configurations...
Thanks in advance................

1 - download last version of mod_cluster at this link and extract it..
2 - configure your mod_cluster at the httpd.conf file like above..
Listen ##PUT THE BALANCER IP HERE##:80
############### mod_cluster Setting - STARTED ###############
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# MOD_CLUSTER_ADDS
# Adjust to you hostname and subnet.
<IfModule manager_module>
Listen ##PUT THE BALANCER IP HERE##:6666
ManagerBalancerName mycluster
<VirtualHost ##PUT THE MACHINE IP HERE##:6666>
<Location />
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
EnableMCPMReceive
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
Allow from 192.168.0
</Location>
</VirtualHost>
</IfModule>
############### mod_cluster Setting - ENDED ###############
3 - Set each of your jboss node's name
<server name="node1" xmlns="urn:jboss:domain:1.2">
4 - Add the instance-id attribute in web subsystem as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:web:1.1" instance-id="${jboss.node.name}" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
.
.
.
</subsystem>
5 - Add the proxy-list in the attribute in mod-cluster-config of modcluster subsystem, which would be having IP Address and Port on which your Apache server (the balancer) is running so that JBoss server can communicate with it, as shown below in both the standalone nodes
<subsystem xmlns="urn:jboss:domain:modcluster:1.0">
<mod-cluster-config advertise-socket="modcluster" proxy-list="##PUT THE BALANCER IP HERE##:80">
.
.
.
</mod-cluster-config>
</subsystem>
6 - Now you can go to http://BALANCER_IP:80 and test it and to manage the jboss instances with mod_cluster go to http://BALANCER_IP:6666/mod_cluster_manager
**Obs: if you want to run jboss in standalone mode you CANNOT use the "-b" flag with the ip 0.0.0.0 that listens requests from all IPs.. I recommend you use the IP of the machine that's running the jboss itself

with sticky-session="true" (default), balancer keeps sending requests to the particular node to whom the session belongs as long as it is healthy.
If you tell me how did you test, especially: how many clients vs. how many requests, or not etc., I will be able to help you.
Furthermore, consider editing capacity attribute of load-metric element.
BTW: "busyness" considers threads in thread pool being occupied with serving requests. You might find that this is not the bottleneck of your system. You might want to add heap, requests or other metrics. See http://docs.jboss.org/mod_cluster/1.2.0/html_single/

link apache web server on port 80 and tomcat webapp on port 8080

On port 80 I have normal apache web server.
On port 8080 I have tomcat with client and server side stuff.
My goal is:
www.mydomain.com renders a static and SEO friendly index.html while javascript stuff is loading.
In the header of this index.html I load www.mydomain.com:8080/myapp/stuff.js
stuff.js is compiled with gwt and calls a RootLayoutPanel.get().add(nice_panel) which will remove static content and show dynamic widgets. It also calls servlets (server side code).
Problem: for security reasons, browsers wont let me load www.mydomain.com:8080/myapp/stuff.js because it is on a different port.
Wrong attempt: I tried to create a symlink from "normal" apache web server directory to the tomcat webapp containing stuff.js. I am now able to load stuff.js because its url is: www.mydomain.com/mysymlink_to_tomcat/stuff.js. But stuff.js is not able anymore to call servlets on server side again because of browsers security rules ("XMLHttpRequest cannot load ... origin ...is not allowed by Access-Control-Allow-Origin").
I would like to avoid the "crazy" solution of redirect from index.html to tomcat with header('location: http://mydomain.com:8080/another_index_on_tomcat.html'). This solution works but it has many drawbacks (SEO...)
What would be the best approach ?
Thanks.

You have basically two solutions:
make it work with the 2 origins: use the xsiframe linker in GWT to allow the page on :80 to load the script from :8080 (for readers: it's not about loading, it's about what the script does).
Add the following to your `gwt.xml:
<add-linker name='xsiframe' />
That unfortunately won't solve your issue with GWT-RPC (o whatever you use to talk to the server). For that, there's CORS.
use a single origin: use Apache's mod_proxy (or mod_jk) to proxy your Tomcat through your Apache. Nobody will ever use :8080, everything will go through :80. See Using Tomcat with Apache HTTPD and a proxy at https://developers.google.com/web-toolkit/doc/latest/DevGuideServerCommunication#DevGuideRPCDeployment
And of course there's also the solution of ditching the HTTPD and serving everything with Tomcat (recent Java and Tomcat versions have fixed their slowness issues).

I'm not sure if this would avoid the security error, but you could try an iframe. On apache, you have the index and an iframe to the tomcat, where the JS loads inside the iframe. Dunno if that will help with the SEO problem.

The best solution would be to redirect the port 80 calls to 8080 on apache when the client call is asking for a tomcat application.
Install mod_jk on apache and configure it to mount a context on the path you want
example: (edit /mods_enabled/jk.conf)
# Configure access to jk-status and jk-manager
# If you want to make this available in a virtual host,
# either move this block into the virtual host
# or copy it logically there by including "JkMountCopy On"
# in the virtual host.
# Add an appropriate authentication method here!
<Location /jk-status>
# Inside Location we can omit the URL in JkMount
JkMount jk-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /jk-manager>
# Inside Location we can omit the URL in JkMount
JkMount jk-manager
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
JkMount /*/myAppDir/* ajp13
Then add a virtual host in your site settings (edit /apache2/sites-enabled/)
<VirtualHost *:80>
. Here is the rest of the
. of the config of
. the host
# Tomcat jk connector settings
JkMount /*.jsp ajp13_worker
JkMount /myAppDir/* ajp13_worker
JkMount /myAppDir* ajp13_worker
JKMount /manager* ajp13_worker
JkMount /manager/* ajp13_worker
</VirtualHost>
And you should also edit the server.xml file and inside the tag write and comment the previous Host name="localhost"
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Host name="localhost" appBase="webapps" unpackWARs="true"
autoDeploy="true" >
<Context path="/" docBase="/var/lib/tomcat7/webapps/myAppDir/"
debug="0" reloadable="true" />
<!-- please notes on logs down below -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/var/lib/tomcat7/logs" prefix="tomcat_access_"
suffix=".log" pattern="common" resolveHosts="false" />
</Host>
The only thing left to do is edit the workers.properties file and add
worker.myapp2.port=8009
worker.myapp2.host=localhost
worker.myapp2.type=ajp13
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker
Then you should be set to work, and when a url containing the myAppDir appears, the apache server will redirect the calls to tomcat the answer will come back from apache.