mod_cluster HTTPS-only configuration example

## mod_cluster.conf
# Note: There is only "Listen 192.168.122.204:2181" in conf/http.conf,
#       all other configuration including SSL is done here for demonstration purposes.

LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so

MemManagerFile "/dev/shm/httpd/cache/mod_cluster"

# mod_cluster directive for emulating cpin/cpong
EnableOptions

# SSL properties for vhost on 2181
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLHonorCipherOrder on
SSLCertificateFile /vault/certs/server.crt
SSLCertificateKeyFile /vault/certs/server.key
SSLCACertificateFile /vault/certs/myca.crt
SSLVerifyClient require
SSLProxyVerify require
SSLProxyEngine On
SSLVerifyDepth 10
SSLProxyMachineCertificateFile /vault/certs/client.pem
SSLProxyCACertificateFile /vault/certs/myca.crt
SSLProxyProtocol all -SSLv2 -SSLv3

ServerName 192.168.122.204:2181

# MOD_CLUSTER
<IfModule manager_module>
  Listen 192.168.122.204:8847
  # Test and demonstration purposes...
  LogLevel debug
  <VirtualHost 192.168.122.204:8847>
    ServerName 192.168.122.204:8847
    <Directory />
      Order deny,allow
      Deny from all
      #CHANGEIT This is only for testing!
      Allow from all
    </Directory>
    KeepAliveTimeout 60
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    ManagerBalancerName qacluster
    AdvertiseGroup 224.0.5.79:65009
    EnableMCPMReceive

    # SSL properties for mod_cluster vhost

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    SSLHonorCipherOrder on
    SSLCertificateFile /vault/certs/server.crt
    SSLCertificateKeyFile /vault/certs/server.key
    SSLCACertificateFile /vault/certs/myca.crt
    SSLVerifyClient require
    SSLProxyVerify require
    SSLProxyEngine On
    SSLVerifyDepth 10
    SSLProxyMachineCertificateFile /vault/certs/client.pem
    SSLProxyCACertificateFile /vault/certs/myca.crt
    SSLProxyProtocol all -SSLv2 -SSLv3

    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      #CHANGEIT This is only for testing!
      Allow from all
    </Location>
  </VirtualHost>
</IfModule>

## standalone-ha.xml
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config connector="https" advertise-socket="modcluster">
    <dynamic-load-provider>
        <load-metric type="busyness"/>
    </dynamic-load-provider>
    <ssl ca-certificate-file="/vault/certs/ca-cert.jks"
         certificate-key-file="/vault/certs/client-cert-key.jks"
         password="tomcat"
         key-alias="javaclient"
         cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
         protocol="TLSv1"/>
</mod-cluster-config>
</subsystem>

+++

<subsystem xmlns="urn:jboss:domain:web:2.1" native="false">
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enabled="true" secure="true">
<ssl name="https"
    ca-certificate-file="/vault/certs/ca-cert.jks"
    certificate-key-file="/vault/certs/server-cert-key.jks"
    certificate-file="/vault/certs/server-cert-key.jks"
    password="tomcat"
    verify-client="true"
    key-alias="javaserver"
    cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
    <alias name="localhost"/>
    <alias name="example.com"/>
</virtual-server>
</subsystem>
	# Note: There is only "Listen 192.168.122.204:2181" in conf/http.conf,
	# all other configuration including SSL is done here for demonstration purposes.

	LoadModule slotmem_module modules/mod_slotmem.so
	LoadModule manager_module modules/mod_manager.so
	LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
	LoadModule advertise_module modules/mod_advertise.so

	MemManagerFile "/dev/shm/httpd/cache/mod_cluster"

	# mod_cluster directive for emulating cpin/cpong
	EnableOptions

	# SSL properties for vhost on 2181
	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
	SSLHonorCipherOrder on
	SSLCertificateFile /vault/certs/server.crt
	SSLCertificateKeyFile /vault/certs/server.key
	SSLCACertificateFile /vault/certs/myca.crt
	SSLVerifyClient require
	SSLProxyVerify require
	SSLProxyEngine On
	SSLVerifyDepth 10
	SSLProxyMachineCertificateFile /vault/certs/client.pem
	SSLProxyCACertificateFile /vault/certs/myca.crt
	SSLProxyProtocol all -SSLv2 -SSLv3

	ServerName 192.168.122.204:2181

	# MOD_CLUSTER
	<IfModule manager_module>
	Listen 192.168.122.204:8847
	# Test and demonstration purposes...
	LogLevel debug
	<VirtualHost 192.168.122.204:8847>
	ServerName 192.168.122.204:8847
	<Directory />
	Order deny,allow
	Deny from all
	#CHANGEIT This is only for testing!
	Allow from all
	</Directory>
	KeepAliveTimeout 60
	MaxKeepAliveRequests 0
	ServerAdvertise on
	AdvertiseFrequency 5
	ManagerBalancerName qacluster
	AdvertiseGroup 224.0.5.79:65009
	EnableMCPMReceive

	# SSL properties for mod_cluster vhost

	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
	SSLHonorCipherOrder on
	SSLCertificateFile /vault/certs/server.crt
	SSLCertificateKeyFile /vault/certs/server.key
	SSLCACertificateFile /vault/certs/myca.crt
	SSLVerifyClient require
	SSLProxyVerify require
	SSLProxyEngine On
	SSLVerifyDepth 10
	SSLProxyMachineCertificateFile /vault/certs/client.pem
	SSLProxyCACertificateFile /vault/certs/myca.crt
	SSLProxyProtocol all -SSLv2 -SSLv3

	<Location /mcm>
	SetHandler mod_cluster-manager
	Order deny,allow
	Deny from all
	#CHANGEIT This is only for testing!
	Allow from all
	</Location>
	</VirtualHost>
	</IfModule>
	<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
	<mod-cluster-config connector="https" advertise-socket="modcluster">
	<dynamic-load-provider>
	<load-metric type="busyness"/>
	</dynamic-load-provider>
	<ssl ca-certificate-file="/vault/certs/ca-cert.jks"
	certificate-key-file="/vault/certs/client-cert-key.jks"
	password="tomcat"
	key-alias="javaclient"
	cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
	protocol="TLSv1"/>
	</mod-cluster-config>
	</subsystem>

	+++

	<subsystem xmlns="urn:jboss:domain:web:2.1" native="false">
	<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enabled="true" secure="true">
	<ssl name="https"
	ca-certificate-file="/vault/certs/ca-cert.jks"
	certificate-key-file="/vault/certs/server-cert-key.jks"
	certificate-file="/vault/certs/server-cert-key.jks"
	password="tomcat"
	verify-client="true"
	key-alias="javaserver"
	cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1"/>
	</connector>
	<virtual-server name="default-host" enable-welcome-root="true">
	<alias name="localhost"/>
	<alias name="example.com"/>
	</virtual-server>
	</subsystem>