Securing SSL requests with mod_cluster?

Question

In case I have both the httpd and JBoss in secure LAN, is it possible to terminate SSL requests at httpd, and pass the request to available JBoss via mod_cluster?

Any idea what configuration involved?

Answer 1

you can either

1. secure only connection from clients to your balancer and take balancer--workers network as trusted:

   client<--SSL-->balancer<--AJP/HTTP-->workers

2. or you can secure the whole path (note: Balancer is actually a ManInTheMiddle attack by definition :-), so you will have to trust your balancer implicitly on workers...)

   client<--SSL-->balancer<--SSL-->workers

The 2) option has serious performance drawbacks. I will show you how to do both:

1) httpd:

<IfModule manager_module>
  Listen 8888
  ManagerBalancerName qacluster
  <VirtualHost localhost:8888>
  ServerName localhost:8888
    <Directory />
      Order deny,allow
      Deny from all
      Allow from all
    </Directory>

    ServerAdvertise on
    EnableMCPMReceive
    AdvertiseGroup 224.0.1.105:6666

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      Allow from all
   </Location>

   SSLEngine on
   SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
   SSLVerifyDepth 10
   SSLCertificateKeyFile /home/karm/Server/server.key
   SSLCertificateFile /home/karm/Server/server.crt
   SSLCACertificateFile /home/karm/Server/myca.crt
   LogLevel debug

  </VirtualHost>
</IfModule>

AS7:

<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
    <mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="ajp">
        <dynamic-load-provider history="10" decay="2">
            <load-metric type="busyness"/>
        </dynamic-load-provider>
        <ssl key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
    </mod-cluster-config>
</subsystem>

Now AS7 uses HTTPS only for posting Mod_cluster messages to the balancer. Other Balancer -> AS7 communication (like client's requests) is not encrypted, because it uses AJP.

2) httpd:

+++
SSLEngine on   
+SSLProxyEngine On
+++

AS7:

+++
-<connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp"/>
+<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
+    <ssl name="https" key-alias="javaclient" password="tomcat" certificate-key-file="/home/karm/Client/client-cert-key.jks" cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false" certificate-file="/home/karm/Client/client-cert-key.jks" ca-certificate-file="/home/karm/Client/ca-cert.jks"/>
+</connector>
+++
-<mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="ajp">
+<mod-cluster-config advertise-socket="modcluster" advertise="true" sticky-session="true" sticky-session-remove="false" sticky-session-force="false" connector="https">
+++

Regarding 2)

• Note verify-client="false", you can not verify the client since the request is coming through the balancer...
• Note performance drop.
• Note a nasty bug https://issues.jboss.org/browse/JBPAPP-9493 (probably affects the current Mod_cluster as well)

HTH

Cheers

Answer 2

By default, mod_cluster will terminate your SSL connection and pass information to the backend un-encrypted. See http://docs.jboss.org/mod_cluster/1.0.0/html/UsingSSL.html for instructions.

Note section 12.2 which shows the extra configuration required to use SSL between the proxy and the backend service. Section 12.3 shows how to forward information about the SSL session that was terminated if your application has some reason to care about it.