So my firewall is OFF and my standalone.xml contains
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<any-ipv4-address/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:192.168.56.1}"/>
</interface>
</interfaces>
Running netstat gives
C:\Users\Ram>netstat -an | find "8080"
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:50200 127.0.0.1:8080 TIME_WAIT
Running telnet from another computer connected to the network
C:\Users\Rami>telnet 192.168.56.1 8080
Connecting To 192.168.56.1...Could not open connection to the host, on port 8080
: Connect failed
I can reach the server homepage typing http://192.168.56.1:8080/ on the computer that has the server started on but not from any other device connected to my local home network.
The configuration looks fine, I assume that there is some other Windows /network configuration besides the firewall setting preventing your access.
Try telnet hostname port from your client to your server to check if port is accessible (see this SU answer).
Related
I am trying to configure a JBOSS EAP 7.0 server to use HTTPS and TLS 1.2.
I have created a certificcate using the command:
keytool -keystore <PATH>\keystore2.jks -alias servercert -validity 365 -genkey
I have then added the following to the standalone.xml using the cli tool.
<security-realm name="HTTPSRealm">
<server-identities>
<ssl>
<keystore path="<PATH>\keystore2.jks" keystore-password="password" alias="servercert"/>
</ssl>
</server-identities>
</security-realm>
</security-realms>
...
<https-listener name="https" security-realm="HTTPSRealm" socket-binding="https"/>
The port binding for HTTPS is
<socket-binding name="https" port="${jboss.https.port:8082}"/>
When I try and access my web application using https on port 8082 I get a connection closed error from my browswer.
Can anyone tell me what I have done wrong and how to enable HTTPS? There doesn't seem to be any errors being created in the logs and the listener is listed on start-up.
The Certificate seemed to be broken I generated another one and it worked fine.
I want to send logmessages from a Java application to Graylog, using slf4j on top of logback with a logback GELF-appender on one side and a Graylog GELF-input on the other. To test it, i'm running Graylog in a Docker container (using Docker for Mac) and run my Java application locally. The gist of my story is that the Graylog GELF-input does not receive anything from the Java application. Somehow the Java application and Graylog don't seem to be able to communicate. The same applies when i switch to a different appender/input combination (one based on syslog records). However, when echoing a message from the commandline to a different Graylog input, namely the RAW input that's listening to port 5555, that message is received fine.
Any idea what the problem is?
This is my setup using GELF:
Java app:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class LogDemo {
public static void main(String[] args) {
Logger logger = LoggerFactory.getLogger(LogDemo.class);
logger.error("Hello World 2");
}
}
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>logdemo</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>de.appelgriepsch.logback</groupId>
<artifactId>logback-gelf-appender</artifactId>
<version>1.5</version>
</dependency>
</dependencies>
</project>
logback.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appender name="GELF" class="de.appelgriepsch.logback.GelfAppender">
<server>localhost</server>
<port>12201</port>
<protocol>TCP</protocol>
</appender>
<root level="error">
<appender-ref ref="GELF"/>
</root>
</configuration>
Graylog docker startup:
$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
-e "http.host=0.0.0.0" \
-e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
-d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
$ docker run --link mongo --link elasticsearch \
-p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555 \
-e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
-d graylog/graylog:3.3
Graylog GELF tcp input (running):
bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********
use_null_delimiter: true
As stated, when i run the java app and Graylog is running as a Docker container in the background, Graylog does not receive the logmessage i sent. However, when i type the following on my commandline (using Terminal on Mac), the message IS received by the Graylog RAW input:
$ echo "Testmessage" | nc localhost 5555
Does somebody got a clue what i'm doing wrong?
I found a solution, though i'm not sure what the exact cause of the problem was. The solution was to use a different Gelf appender. Instead of the one i mentioned above, i'm now using the following one:
<dependency>
<groupId>de.siegmar</groupId>
<artifactId>logback-gelf</artifactId>
<version>2.2.0</version>
</dependency>
That did the trick, but as i said, i'm unsure why the one i used earlier did not work.
I have one linux machine with 2 Wildfly servers listening on 2 différents https ports.
I have one domain and 2 sub-domain: aa.mydomain.fr et bb.mydomain.fr that i redirect to my 2 wildlfy servers using a Haproxy (i didn't find other solutions to redirect 2 sub-domain in dealing with 2 different https ports and one linux server IP)
My HapProxy server configuration (for aa.mydomain.fr only):
global
log 127.0.0.1:514 local0 info
daemon
maxconn 4096
tune.ssl.default-dh-param 1024
ssl-default-bind-options ssl-min-ver TLSv1.2
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
log global
option httplog
option forwardfor
frontend http-in
bind linux_server_ip:80
acl is_demo_site hdr_end(host) aa.mydomain.fr
use_backend demo_site if is_demo_site
frontend https-in
bind linux_server_ip:443 ssl crt /etc/haproxy/cert/mycert.pem
acl is_demo_https_site hdr_end(host) aa.mydomain.fr
use_backend demo_https_site if is_demo_https_site
backend demo_site
server s1 linux_server_ip:8xxx maxconn 32
backend demo_https_site
server s3 linux_server_ip:8yyy maxconn 32
http-request set-header X-Forwarded-Proto https
My wildfly server conf for sub-domain aa.mydomain.fr:
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" proxy-protocol="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<access-log pattern="%a %t %H %p %U %s %S %T" directory="${jboss.home.dir}/standalone/log" prefix="access_"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="http" port="${jboss.http.port:8xxx}"/>
<socket-binding name="https" port="${jboss.https.port:8yyy}"/>
...
</socket-binding-group>
The http redirection works fine but not the https one which return an 502 error code bad Gateway and i have this error message in my wildfly server log:
2019-09-10 10:47:11,746 TRACE [org.xnio.nio] (default I/O-2) Running task org.xnio.nio.QueuedNioTcpServer$1#7b85bf52
2019-09-10 10:47:11,746 TRACE [org.xnio.nio] (default I/O-2) Running task org.xnio.nio.NioHandle$1#dd77838
2019-09-10 10:47:11,746 DEBUG [io.undertow.request.io] (default I/O-2) UT005013: An IOException occurred: java.io.IOException: UT000179: Invalid PROXY protocol header
at io.undertow.core#2.0.15.Final//io.undertow.server.protocol.proxy.ProxyProtocolReadListener.handleEvent(ProxyProtocolReadListener.java:90)
at io.undertow.core#2.0.15.Final//io.undertow.server.protocol.proxy.ProxyProtocolReadListener.handleEvent(ProxyProtocolReadListener.java:34)
at org.jboss.xnio#3.6.5.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.jboss.xnio#3.6.5.Final//org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.jboss.xnio.nio#3.6.5.Final//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.jboss.xnio.nio#3.6.5.Final//org.xnio.nio.NioHandle$1.run(NioHandle.java:50)
at org.jboss.xnio.nio#3.6.5.Final//org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
at org.jboss.xnio.nio#3.6.5.Final//org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
2019-09-10 10:47:11,747 TRACE [org.xnio.nio] (default I/O-2) Cancelling key channel=java.nio.channels.SocketChannel[connected local=/linux_server_ip:8xxx remote=/linux_server_ip:49866], selector=sun.nio.ch.EPollSelectorImpl#4a7d8873, interestOps=1, readyOps=0 of java.nio.channels.SocketChannel[connected local=/linux_server_ip:8xxx remote=/linux_server_ip:49866] (same thread)
2019-09-10 10:47:11,747 TRACE [org.xnio.nio] (default I/O-2) Added task org.xnio.nio.QueuedNioTcpServer$2#1939a2a9
Details of the error:
private static final byte[] NAME = "PROXY ".getBytes(StandardCharsets.US_ASCII);
…
public void handleEvent(StreamSourceChannel streamSourceChannel) {
PooledByteBuffer buffer = bufferPool.allocate();
boolean freeBuffer = true;
try {
for (; ; ) {
int res = streamSourceChannel.read(buffer.getBuffer());
if (res == -1) {
IoUtils.safeClose(streamConnection);
return;
} else if (res == 0) {
return;
} else {
buffer.getBuffer().flip();
while (buffer.getBuffer().hasRemaining()) {
char c = (char) buffer.getBuffer().get();
if (byteCount < NAME.length) {
//first we verify that we have the correct protocol
if (c != NAME[byteCount]) {
throw **UndertowMessages.MESSAGES.invalidProxyHeader()**;
}
…
Notes:
I use a "Let's encrypt" SSL certificat.
I get the same error code if i remove the "option forwardfor" in the Haproxy conf.
If i add "accept-proxy" in frontend https-in section and "send-proxy" in backend demo_https_site, i get the Following message in haproxy.log: "Received something which does not look like a PROXY protocol header".
When i monitor the header request with FF monitor tools, i don't see X-Forwarded detail...
Software details:
Haproxy v1.8.8/Wildfly v15.0.1
I don't know if the issue come from my wildfly conf or my haproxy conf, can somebody suggest idea or fix please ?
Best regards.
One way I think you could fix this is by adding proxy protocol to your https proxy with the send-proxy or send-proxy-v2 option. e.g:
backend demo_https_site
server s3 linux_server_ip:8yyy maxconn 32 send-proxy
Another way would be to remove proxy-protocol from wildfly, e.g:
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
However, this will means the client's source ip would have to be derived from the X-Forwarded-For header.
I have a very strange exception in my application. 127.0.0.1 is unknown host. I don't know how it can happened. Below details:
ShardedAmqpSpout [WARN] Failed to reconnect to AMQP broker
java.net.UnknownHostException: 127.0.0.1
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:178)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
at java.net.Socket.connect(Socket.java:579)
at com.rabbitmq.client.impl.FrameHandlerFactory.create(FrameHandlerFactory.java:32)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:588)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:612)
at pl.mbank.storm.amqp.ShardedAmqpSpout.setupAMQP(ShardedAmqpSpout.java:220)
at pl.mbank.storm.amqp.ShardedAmqpSpout.reconnect(ShardedAmqpSpout.java:239)
at pl.mbank.storm.amqp.ShardedAmqpSpout.open(ShardedAmqpSpout.java:201)
at backtype.storm.daemon.executor$fn__3985$fn__3997.invoke(executor.clj:460)
at backtype.storm.util$async_loop$fn__465.invoke(util.clj:375)
at clojure.lang.AFn.run(AFn.java:24)
at java.lang.Thread.run(Thread.java:722)
Clear the space before and after 127.0.0.1. I'v fixed with this.
I am trying to configure WildFly 8.1.0 with mod_cluster. Both WildFly and Apache are running on the same machine. The machine is Ubuntu 12.04 with Apache 2.2.x
Apache is set up correctly (I believe). I have tested that the advertise module is working correctly by running the test class Advertise found in the mod_proxy source code (github). There are no errors in the apache logs.
I am starting the server as follows: ./standalone.sh -c standalone-ha.xml
If any one can see something wrong with the configuration below and help put me out of days of misery, I would be really grateful....
Apache configuration
CreateBalancers 1
<IfModule manager_module>
#Listen 127.0.1.1:6666
Listen *:6666
ManagerBalancerName mycluster
<VirtualHost *:6666>
KeepAliveTimeout 300
MaxKeepAliveRequests 0
AdvertiseFrequency 5
ServerAdvertise On
AllowDisplay On
<Location />
Order deny,allow
Allow from 127.0.1
</Location>
<Location /mod_cluster_manager>
SetHandler mod_cluster-manager
Order deny,allow
#Deny from all
#Allow from 127.0.1
Allow from all
</Location>
</VirtualHost>
</IfModule>
VirtualHost configuration
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ProxyPass / balancer://mycluster stickysession=JSESSIONID|jsessionid nofailover=On
ProxyPassReverse / balancer://mycluster
ProxyPreserveHost On
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The results of the Advertize test class
received from /178.62.50.xxx:23364
received: HTTP/1.0 200 OK
Date: Sat, 26 Jul 2014 20:03:12 GMT
Sequence: 121
Digest: 4dedd3761d451227f36534b63ca2a8a1
Server: b23584e2-314f-404d-8fde-05069bfe5dc7
X-Manager-Address: 127.0.1.1:6666
X-Manager-Url: /b23584e2-314f-404d-8fde-05069bfe5dc7
X-Manager-Protocol: http
X-Manager-Host: 127.0.1.1
The print out from mod_cluster_manager (178.62.50.xxx:6666/mod_cluster_manager)
mod_cluster/1.2.6.Final
start of "httpd.conf" configuration
mod_proxy_cluster.c: OK
mod_sharedmem.c: OK
Protocol supported: http AJP
mod_advertise.c: OK
Server: 127.0.1.1
Server: 127.0.1.1 VirtualHost: *:80
Server: 127.0.1.1 VirtualHost: *:6666 Advertising on Group 224.0.1.105 Port 23364 for http://127.0.1.1:6666 every 5 seconds
end of "httpd.conf" configuration
Lastly, here are the relevant bits taken from standalone-ha.xml
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config advertise-socket="modcluster" connector="ajp">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
<socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364"/>
<interfaces>
<interface name="management">
<inet-address value="178.62.50.xxx"/>
</interface>
<interface name="public">
<inet-address value="127.0.1.1"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.1.1}"/>
</interface>
</interfaces>
The only part of the server log that relates to modcluster (output during server startup)
15:53:29,805 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTP listener default listening on /127.0.1.1:8080
15:53:29,811 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) JBAS017519: Undertow AJP listener ajp listening on /127.0.1.1:8009
15:53:29,905 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 54) MODCLUSTER000001: Initializing mod_cluster version 1.3.0.Final
15:53:29,967 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 54) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
I managed to figure out the problem here, finally. The public interface also needs to reference the server IP, not 127.0.1.1.
The updated interface configuration is:
<interfaces>
<interface name="management">
<inet-address value="178.62.50.xxx"/>
</interface>
<interface name="public">
<inet-address value="178.62.50.xxx"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.1.1}"/>
</interface>
</interfaces>
You need to:
use EnableMCPMReceive in that <VirtualHost *:6666> so as to allow it to consume MCMP messages from WildFly
<Location /> in that EnableMCPMReceive enabled VirtualHost must allow IP addresses of WildFly servers
with WildFly, never bind to localhost -- it doesn't make any sense in the mod_cluster environment except when the boxes (Apache and WildFly instances) are located all in a single box; which is likely a local development situation only
the whole chain of events is as follows:
Apache sends a UDP multicast message stating its location (by default the VirtualHost with which is the advertising enabled)
WildFly catches the message and mod_cluster subsystem sends CONFIG and STATUS messages containing its JvmRoute (instance-id), Host, Port, protocol..., load... The Host and Port must be reachable from the Apache HTTP Server.
Apache HTTP Server talks to the WildFly server on its Host:Port with STATUS-RSP messages etc. The communication is bidirectional.
Please, don't confuse this with request routing, by default, client requests are delivered from Apache HTTP Server to WildFly and back via AJP whereas the MCMP messages use HTTP.
HTH
K