Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
mod_cluster HTTPS-only configuration example
# Note: There is only "Listen 192.168.122.204:2181" in conf/http.conf,
# all other configuration including SSL is done here for demonstration purposes.
LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so
MemManagerFile "/dev/shm/httpd/cache/mod_cluster"
# mod_cluster directive for emulating cpin/cpong
EnableOptions
# SSL properties for vhost on 2181
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLHonorCipherOrder on
SSLCertificateFile /vault/certs/server.crt
SSLCertificateKeyFile /vault/certs/server.key
SSLCACertificateFile /vault/certs/myca.crt
SSLVerifyClient require
SSLProxyVerify require
SSLProxyEngine On
SSLVerifyDepth 10
SSLProxyMachineCertificateFile /vault/certs/client.pem
SSLProxyCACertificateFile /vault/certs/myca.crt
SSLProxyProtocol all -SSLv2 -SSLv3
ServerName 192.168.122.204:2181
# MOD_CLUSTER
<IfModule manager_module>
Listen 192.168.122.204:8847
# Test and demonstration purposes...
LogLevel debug
<VirtualHost 192.168.122.204:8847>
ServerName 192.168.122.204:8847
<Directory />
Order deny,allow
Deny from all
#CHANGEIT This is only for testing!
Allow from all
</Directory>
KeepAliveTimeout 60
MaxKeepAliveRequests 0
ServerAdvertise on
AdvertiseFrequency 5
ManagerBalancerName qacluster
AdvertiseGroup 224.0.5.79:65009
EnableMCPMReceive
# SSL properties for mod_cluster vhost
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLHonorCipherOrder on
SSLCertificateFile /vault/certs/server.crt
SSLCertificateKeyFile /vault/certs/server.key
SSLCACertificateFile /vault/certs/myca.crt
SSLVerifyClient require
SSLProxyVerify require
SSLProxyEngine On
SSLVerifyDepth 10
SSLProxyMachineCertificateFile /vault/certs/client.pem
SSLProxyCACertificateFile /vault/certs/myca.crt
SSLProxyProtocol all -SSLv2 -SSLv3
<Location /mcm>
SetHandler mod_cluster-manager
Order deny,allow
Deny from all
#CHANGEIT This is only for testing!
Allow from all
</Location>
</VirtualHost>
</IfModule>
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config connector="https" advertise-socket="modcluster">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
<ssl ca-certificate-file="/vault/certs/ca-cert.jks"
certificate-key-file="/vault/certs/client-cert-key.jks"
password="tomcat"
key-alias="javaclient"
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
protocol="TLSv1"/>
</mod-cluster-config>
</subsystem>
+++
<subsystem xmlns="urn:jboss:domain:web:2.1" native="false">
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enabled="true" secure="true">
<ssl name="https"
ca-certificate-file="/vault/certs/ca-cert.jks"
certificate-key-file="/vault/certs/server-cert-key.jks"
certificate-file="/vault/certs/server-cert-key.jks"
password="tomcat"
verify-client="true"
key-alias="javaserver"
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

jfclere commented Oct 29, 2014

That is a EAP example do you have WildFly8 example too?

Does this example apply to Wildfly 10 ?

hi,

i don't manage to make it work with wildfly 9 as i put https connector the seerver don't work any more...

a solution? becaus i use client certificate authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment