I've blocked the http protocol(enabled https only) in wildfly 9.0 by changing below configuration
Changed connector-ref="default" to connector-ref="default-ssl"
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint worker="default"/>
<http-connector name="http-remoting-connector" connector-ref="default-ssl" security-realm="ApplicationRealm"/>
</subsystem>
Commented the http-listener
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<!-- <http-listener name="default" socket-binding="http" redirect-socket="https"/> -->
<https-listener name="def.....
it worked..i am able to block the http and enabled https protocol access only. Ideally it should reject the http request. But, now problem is, whenever i am accessing the http://localhost:8080/MyWebApp/ , its rejecting the http request, but at the same time, web page is downloading a blank download file. why ???
Thanks.
You should redirect your http requests to https instead of disabling the http:
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" />
Add a redirect handler in the handlers part, something along the way of:
<host name="other-host" alias="www.mysite.com, ${prop.value:default-alias}" default-web-module="something.war" disable-console-redirect="true">
<location name="/" handler="welcome-content">
<filter-ref name="redirects" predicate="!secure" />
</location>
<filter-ref name="headers"/>
</host>
</server>
...
https://myserver/'" redirect="true" />
Related
I have setup an EJB client that can connect successfuly to remote+http://localhost:8080 without SSL/TLS.
Now I have created a truststore and keystore and followed the instructions in the Wildfly documentation here to setup SSL/TLS.
My wildfly-config.xml contains the following:
<authentication-client xmlns="urn:elytron:1.0">
<authentication-rules>
<rule use-configuration="default-config"/>
</authentication-rules>
<authentication-configurations>
<configuration name="default-config">
<set-user-name name="${user}"/>
<credentials>
<clear-password password="${password}"/>
</credentials>
<sasl-mechanism-selector selector="#ALL" />
<providers>
<use-service-loader />
</providers>
</configuration>
</authentication-configurations>
<key-stores>
<key-store name="im-keystore" type="JKS">
<file name="client.truststore"/>
<key-store-clear-password password="xxx"/>
</key-store>
</key-stores>
<ssl-contexts>
<ssl-context name="im-ssl-context">
<trust-store key-store-name="im-keystore"/>
<protocol names="TLSv1.2"/>
</ssl-context>
</ssl-contexts>
<ssl-context-rules>
<rule use-ssl-context="im-ssl-context"/>
</ssl-context-rules>
</authentication-client>
The server is configured as follows:
<tls>
<key-stores>
<key-store name="httpsKS">
<credential-reference clear-text="xxx"/>
<implementation type="JKS"/>
<file path="server.keystore" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="httpsKM" key-store="httpsKS">
<credential-reference clear-text="xxx"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="httpsSSC" protocols="TLSv1.2" key-manager="httpsKM"/>
</server-ssl-contexts>
</tls>
and
<https-listener name="https" socket-binding="https" ssl-context="httpsSSC" enable-http2="true"/>
Now the ejb client throws the following exception when connecting to remote+https://localhost:8443:
LOG 2019-06-13T12:12:56Z [XNIO-1 task-1] TRACE org.jboss.remoting.endpoint - Registered exception result
org.xnio.http.UpgradeFailedException: Invalid response code 200
at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:471) ~[xnio-api-3.6.5.Final.jar:3.6.5.Final]
at org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener.handleEvent(HttpUpgrade.java:400) ~[xnio-api-3.6.5.Final.jar:3.6.5.Final]
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) ~[xnio-api-3.6.5.Final.jar:3.6.5.Final]
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) ~[xnio-api-3.6.5.Final.jar:3.6.5.Final]
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) ~[xnio-nio-3.6.5.Final.jar:3.6.5.Final]
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591) ~[xnio-nio-3.6.5.Final.jar:3.6.5.Final]
Any ideas?
It turned out, that an additional remoting connector was missing that points with connector-ref to the https-listener defined in the undertow subsection:
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
<http-connector name="https-remoting-connector" connector-ref="https" security-realm="ApplicationRealm"/>
</subsystem>
I am working on adding load-balancing and fail-over functionality to our existing Apache tomcat setup with mod_jk. For this, I have setup 2 Tomcat instances. I have made some changes, and will be pasting them. I am not getting any errors in the log of either httpd or tomcat, and I am only seeing a blank page. What am I doing wrong?
Apache webserver config :
workers.properties :
worker.list=loadbalancer
worker.server1.port=8010
worker.server1.host=localhost
worker.server1.lbfactor=1
worker.server1.type=ajp13
worker.server2.port=8011
worker.server2.host=localhost
worker.server2.type=ajp13
worker.server2.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.sticky_session=true
worker.myworker.sticky_session_force=True
apache2.conf / httpd.conf :
Include sites-enabled/
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /etc/apache2/mod_jk.log
JkMount /* loadbalancer
sites-enabled/000-default : Only contains :
JkMountCopy On
First tomcat's server.xml :
<Server port="8005" shutdown="SHUTDOWN">
<Connector port="8081" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000"/>
<Connector port="8010" protocol="AJP/1.3" redirectPort="8081" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Engine name="Catalina" defaultHost="localhost" jvmRoute="server1">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
</Cluster>
</Engine>
2nd Tomcat's server.xml :
<Server port="8006" shutdown="SHUTDOWN">
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000"/>
<Connector port="8011" protocol="AJP/1.3" redirectPort="8080" URIEncoding="utf-8"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/ javascript,application/x-javascript,application/javascript"
/>
<Engine name="Catalina" defaultHost="localhost" jvmRoute="server2">
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
</Cluster>
</Engine>
Even if I shut down any tomcat, all I see is a blank page. What am I doing wrong? Kindly let me know. Thanks a lot.. :-)
It's not usually worth it to specify any JkMount directives outside of a VirtualHost. You should be specific and map them to each VH.
JkMountCopy should have worked for you. I suspect that some other configuration was interfering with it.
For http this config in standalone.xml
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Its the default config.
I would like to know how many connections this server can handle both incoming and out going.
Like 3000 users(clients) and this server is communicating with other web services, so overall how many http/https connections can this handle at a time, also is there a way to find out the current number of connections
I'm with a problem to configure the GZip in my Wildfly server used the following configuration on the server:
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="gzipFilter" predicate="path-suffix['.css'] or path-suffix['.js'] or path-suffix['.xhtml']"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="Wildfly 8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow 1"/>
<gzip name="gzipFilter"/>
</filters>
</subsystem>
And became the Zip file of the request correctly, however I would like to set the minimum size for files to be zipped and what I'm hard, anyone know how to set the minimum size for the server do the zip before sends them to the customer?
Expanding on Alexander's answer I did some tests. Strangely enough the predicate to only compress files larger then 500 bytes is not min-content-size[500].
To configure it using jboss-cli.sh run this script:
/subsystem=undertow/configuration=filter/gzip=gzipFilter:add()
/subsystem=undertow/server=default-server/host=default-host/\
filter-ref=gzipFilter:add(predicate="not min-content-size[500]")
Note that the gzip filter will start to work after server reload. You can do this using cli's command :reload.
To test if the filter is enabled I used:
wget $MY_URL -S --header="accept-encoding: gzip" \
-O /dev/null 2>&1| grep Content-Encoding
There is a predicate in undertow min-content-size
so you can use predicate=min-content-size[500]
I found the available predicates here https://github.com/undertow-io/undertow/tree/master/core/src/main/java/io/undertow/predicate due to lack of documentation
It worked with the predicate:
predicate="exists['%{o,Content-Type}'] and regex[pattern='(?:application/javascript|text/css|text/html|text/xml|application/json)(;.*)?', value=%{o,Content-Type}, full-match=true]"
I am trying to add SSL support for my JBoss 7 installation. I followed the directions for the pure java solution on: JBoss AS 7.1 SSL Setup Guide
Here is my standalone.xml subsystem configuration
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" />
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
<connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ps-ssl" password="mypw" protocol="TLSv1" key-alias="ps" certificate-key-file="../standalone/configuration/ps.keystore" />
</connector>
</subsystem>
When I start up the application, I get the firefox problem loading page message. I have configured web.xml to require https for the entire app. The application works fine when I remove the constraint, so I guess I missed something in setting up ssl. Does anybody see anything that I missed?