mod_cluster HTTPS-only configuration example
# Note: There is only "Listen 192.168.122.204:2181" in conf/http.conf, | |
# all other configuration including SSL is done here for demonstration purposes. | |
LoadModule slotmem_module modules/mod_slotmem.so | |
LoadModule manager_module modules/mod_manager.so | |
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so | |
LoadModule advertise_module modules/mod_advertise.so | |
MemManagerFile "/dev/shm/httpd/cache/mod_cluster" | |
# mod_cluster directive for emulating cpin/cpong | |
EnableOptions | |
# SSL properties for vhost on 2181 | |
SSLEngine on | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLHonorCipherOrder on | |
SSLCertificateFile /vault/certs/server.crt | |
SSLCertificateKeyFile /vault/certs/server.key | |
SSLCACertificateFile /vault/certs/myca.crt | |
SSLVerifyClient require | |
SSLProxyVerify require | |
SSLProxyEngine On | |
SSLVerifyDepth 10 | |
SSLProxyMachineCertificateFile /vault/certs/client.pem | |
SSLProxyCACertificateFile /vault/certs/myca.crt | |
SSLProxyProtocol all -SSLv2 -SSLv3 | |
ServerName 192.168.122.204:2181 | |
# MOD_CLUSTER | |
<IfModule manager_module> | |
Listen 192.168.122.204:8847 | |
# Test and demonstration purposes... | |
LogLevel debug | |
<VirtualHost 192.168.122.204:8847> | |
ServerName 192.168.122.204:8847 | |
<Directory /> | |
Order deny,allow | |
Deny from all | |
#CHANGEIT This is only for testing! | |
Allow from all | |
</Directory> | |
KeepAliveTimeout 60 | |
MaxKeepAliveRequests 0 | |
ServerAdvertise on | |
AdvertiseFrequency 5 | |
ManagerBalancerName qacluster | |
AdvertiseGroup 224.0.5.79:65009 | |
EnableMCPMReceive | |
# SSL properties for mod_cluster vhost | |
SSLEngine on | |
SSLProtocol all -SSLv2 -SSLv3 | |
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" | |
SSLHonorCipherOrder on | |
SSLCertificateFile /vault/certs/server.crt | |
SSLCertificateKeyFile /vault/certs/server.key | |
SSLCACertificateFile /vault/certs/myca.crt | |
SSLVerifyClient require | |
SSLProxyVerify require | |
SSLProxyEngine On | |
SSLVerifyDepth 10 | |
SSLProxyMachineCertificateFile /vault/certs/client.pem | |
SSLProxyCACertificateFile /vault/certs/myca.crt | |
SSLProxyProtocol all -SSLv2 -SSLv3 | |
<Location /mcm> | |
SetHandler mod_cluster-manager | |
Order deny,allow | |
Deny from all | |
#CHANGEIT This is only for testing! | |
Allow from all | |
</Location> | |
</VirtualHost> | |
</IfModule> |
<subsystem xmlns="urn:jboss:domain:modcluster:1.2"> | |
<mod-cluster-config connector="https" advertise-socket="modcluster"> | |
<dynamic-load-provider> | |
<load-metric type="busyness"/> | |
</dynamic-load-provider> | |
<ssl ca-certificate-file="/vault/certs/ca-cert.jks" | |
certificate-key-file="/vault/certs/client-cert-key.jks" | |
password="tomcat" | |
key-alias="javaclient" | |
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" | |
protocol="TLSv1"/> | |
</mod-cluster-config> | |
</subsystem> | |
+++ | |
<subsystem xmlns="urn:jboss:domain:web:2.1" native="false"> | |
<connector name="https" protocol="HTTP/1.1" socket-binding="https" scheme="https" enabled="true" secure="true"> | |
<ssl name="https" | |
ca-certificate-file="/vault/certs/ca-cert.jks" | |
certificate-key-file="/vault/certs/server-cert-key.jks" | |
certificate-file="/vault/certs/server-cert-key.jks" | |
password="tomcat" | |
verify-client="true" | |
key-alias="javaserver" | |
cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1"/> | |
</connector> | |
<virtual-server name="default-host" enable-welcome-root="true"> | |
<alias name="localhost"/> | |
<alias name="example.com"/> | |
</virtual-server> | |
</subsystem> |
This comment has been minimized.
This comment has been minimized.
Does this example apply to Wildfly 10 ? |
This comment has been minimized.
This comment has been minimized.
hi, i don't manage to make it work with wildfly 9 as i put https connector the seerver don't work any more... |
This comment has been minimized.
This comment has been minimized.
a solution? becaus i use client certificate authentication |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
That is a EAP example do you have WildFly8 example too?