Created
July 18, 2014 09:40
-
-
Save Karm/6ac503924a1909564051 to your computer and use it in GitHub Desktop.
mod_cluster HTTPS-only configuration example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Note: There is only "Listen 192.168.122.204:2181" in conf/http.conf, | |
# all other configuration including SSL is done here for demonstration purposes. | |
LoadModule slotmem_module modules/mod_slotmem.so | |
LoadModule manager_module modules/mod_manager.so | |
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so | |
LoadModule advertise_module modules/mod_advertise.so | |
MemManagerFile "/dev/shm/httpd/cache/mod_cluster" | |
# mod_cluster directive for emulating cpin/cpong | |
EnableOptions | |
# SSL properties for vhost on 2181 | |
SSLEngine on | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLHonorCipherOrder on | |
SSLCertificateFile /vault/certs/server.crt | |
SSLCertificateKeyFile /vault/certs/server.key | |
SSLCACertificateFile /vault/certs/myca.crt | |
SSLVerifyClient require | |
SSLProxyVerify require | |
SSLProxyEngine On | |
SSLVerifyDepth 10 | |
SSLProxyMachineCertificateFile /vault/certs/client.pem | |
SSLProxyCACertificateFile /vault/certs/myca.crt | |
SSLProxyProtocol all -SSLv2 -SSLv3 | |
ServerName 192.168.122.204:2181 | |
# MOD_CLUSTER | |
<IfModule manager_module> | |
Listen 192.168.122.204:8847 | |
# Test and demonstration purposes... | |
LogLevel debug | |
<VirtualHost 192.168.122.204:8847> | |
ServerName 192.168.122.204:8847 | |
<Directory /> | |
Order deny,allow | |
Deny from all | |
#CHANGEIT This is only for testing! | |
Allow from all | |
</Directory> | |
KeepAliveTimeout 60 | |
MaxKeepAliveRequests 0 | |
ServerAdvertise on | |
AdvertiseFrequency 5 | |
ManagerBalancerName qacluster | |
AdvertiseGroup 224.0.5.79:65009 | |
EnableMCPMReceive | |
# SSL properties for mod_cluster vhost | |
SSLEngine on | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLHonorCipherOrder on | |
SSLCertificateFile /vault/certs/server.crt | |
SSLCertificateKeyFile /vault/certs/server.key | |
SSLCACertificateFile /vault/certs/myca.crt | |
SSLVerifyClient require | |
SSLProxyVerify require | |
SSLProxyEngine On | |
SSLVerifyDepth 10 | |
SSLProxyMachineCertificateFile /vault/certs/client.pem | |
SSLProxyCACertificateFile /vault/certs/myca.crt | |
SSLProxyProtocol all -SSLv2 -SSLv3 | |
<Location /mcm> | |
SetHandler mod_cluster-manager | |
Order deny,allow | |
Deny from all | |
#CHANGEIT This is only for testing! | |
Allow from all | |
</Location> | |
</VirtualHost> | |
</IfModule> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<subsystem xmlns="urn:jboss:domain:modcluster:1.2"> | |
<mod-cluster-config connector="https" advertise-socket="modcluster"> | |
<dynamic-load-provider> | |
<load-metric type="busyness"/> | |
</dynamic-load-provider> | |
<ssl ca-certificate-file="/vault/certs/ca-cert.jks" | |
certificate-key-file="/vault/certs/client-cert-key.jks" | |
password="tomcat" | |
key-alias="javaclient" | |
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" | |
protocol="TLSv1"/> | |
</mod-cluster-config> | |
</subsystem> | |
+++ | |
<subsystem xmlns="urn:jboss:domain:web:2.1" native="false"> | |
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enabled="true" secure="true"> | |
<ssl name="https" | |
ca-certificate-file="/vault/certs/ca-cert.jks" | |
certificate-key-file="/vault/certs/server-cert-key.jks" | |
certificate-file="/vault/certs/server-cert-key.jks" | |
password="tomcat" | |
verify-client="true" | |
key-alias="javaserver" | |
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1"/> | |
</connector> | |
<virtual-server name="default-host" enable-welcome-root="true"> | |
<alias name="localhost"/> | |
<alias name="example.com"/> | |
</virtual-server> | |
</subsystem> |
Does this example apply to Wildfly 10 ?
hi,
i don't manage to make it work with wildfly 9 as i put https connector the seerver don't work any more...
a solution? becaus i use client certificate authentication
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
That is a EAP example do you have WildFly8 example too?