I have a JBOSS server (7.0) running an application that uses ServiceWorkers, which requires an HTTPS connection. I was able to update the standalone.xml and Eclipse launch configuration to bind my JBOSS server to my local IP (I'll worry about port forwarding later). Connecting to http://192.168.0.197:8080/[application] works just fine, except that ServiceWorkers won't start because it isn't an HTTPS connection. If I try https://192.168.0.197:8080/[application], the connection fails with the browser reporting "unable to connect".
I've researched several documentation sources and can't figure out what needs to be updated. Please forgive any terminology errors - my background is with application programming and networking tends to be the bane of my existence.
This is the pertinent standalone.xml configuration:
<subsystem xmlns="urn:jboss:domain:webservices:2.0">
<wsdl-host>${jboss.bind.address:192.168.0.97}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:4.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:192.168.0.97}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:192.168.0.97}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
And the Eclipse launch configuration:
-mp "C:\JBOSS-EAP70\modules" org.jboss.as.standalone --server-config=standalone.xml -Djboss.server.base.dir=C:\JBOSS-EAP70\standalone
"-Dprogram.name=JBossTools: Red Hat JBoss Enterprise Application Platform 7.0 at localhost" -server -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dorg.jboss.resolver.warning=true -Djava.net.preferIPv4Stack=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true "-Dorg.jboss.boot.log.file=C:\JBOSS-EAP70\standalone\log\boot.log" "-Dlogging.configuration=file:C:\JBOSS-EAP70\standalone\configuration\logging.properties" "-Djboss.home.dir=C:\JBOSS-EAP70" -Dorg.jboss.logmanager.nocolor=true
It's there in your configuration:
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
You'd need to change the http port and then the https port.
Related
we are using wildfly-9.01 on azure environment and using application gateway and WAF services.
We observe 502 in apache log in underload and application became unresponsive.
We are using following configuration.
OS: centos-8(32 vcpus, 256 GiB memory)
web server: apache with modjk
application server: wildfly-9.01(40 GB memory is allocated)
Below is the Wildfly configuration:
<subsystem xmlns="urn:jboss:domain:io:1.1">
<worker name="default" task-max-threads="500"/>
<buffer-pool name="default"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajpListener" scheme="http" socket-binding="ajp" max-header-size="50000" max-post-size="5368709120" max-parameters="5000000" allow-equals-in-cookie-value="true"/>
<http-listener name="default" socket-binding="http" redirect-socket="https" max-header-size="50000" max-post-size="5368709120" max-parameters="5000000" allow-equals-in-cookie-value="true"/>
<host name="default-host" alias="localhost"/>
</server>
<servlet-container name="default">
<jsp-config x-powered-by="false"/>
<websockets/>
</servlet-container>
<filters>
<response-header name="server-header" header-name="Server" header-value="My company"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="My company Application"/>
</filters>
</subsystem>
Below is the Apache Keep alive config:
KeepAlive On
MaxKeepAliveRequests 300
KeepAliveTimeout 600
TimeOut 1200
any suggestions for things to look at or try to avoid 502?
I need to run 2+ Wildfly servers on EC2 so I thought that AWS_PING could be a fine way to discover peers.
I run on EC2 the sample JGroups chat based on AWS_PING as described at https://github.com/meltmedia/jgroups-aws and it works fine.
So I put the following configuration in standalone-ha.xml:
<subsystem xmlns="urn:jboss:domain:jgroups:6.0">
<channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/>
</channels>
<stacks>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="com.meltmedia.jgroups.aws.AWS_PING" module="org.jgroups.aws:awsping">
<property name="tags">foobar</property>
<property name="port_number">7600</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG3"/>
</stack>
</stacks>
</subsystem>
and the socket-binding-group is described as:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
...
<socket-binding name="jgroups-tcp" interface="private" port="7600"/>
...
</socket-binding-group>
and I configured the Wildfly's modules using the tar file generated with https://github.com/soulwing/wildfly-jgroups-aws-ping
When I restart Wildfly the JGroups subsystem seems correctly started:
$ grep jgroups log/server.log
2019-07-04 08:52:56,732 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 57) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 4.0.15
However Wildfly is not listening on port 7600:
$ sudo netstat -plnt | grep java
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 13123/java
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 13123/java
tcp 0 0 127.0.0.1:9990 0.0.0.0:* LISTEN 13123/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 13123/java
Did I miss some configuration? Why isn't Wildfly listening on port 7600?
so I have added a SSL certificate to my wildfly 9 and it's working, but I want to configure my standalone.xml to listen to https on port 443 not on port 8443 as the default configuration, so when I update the value ${jboss.https.port:8443} to ${jboss.https.port:443} it generate an error.
this what I have in my standalone.xml :
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<https-listener name="httpsServer" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/images" handler="ImagesDirHandler"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Please, provide more accurate details about your environment and errors.
I had similar needs like you. The users access our system trough a network where the only requests availables are on port 80 or 443. Than, when a costumer calls the system on port 80, wildfly redirects to port 8443 and the user cannot connect to the system. The solution was to make wildfly redirect to port 443 instead 8443. Follow some instruction for all looking for help in this issue:
In case of a linux based operational system, ports up to 1024 are
available to bind only with root privilegies.
It isn't a great idea run wildfly or any other web/app server with root privilegies in a production oriented server.
In other hands, try to run wildfly with a 'regular' user directly bind to port 443 or 80 generates permission denied like errors.
The solution for the problem I described above was to bind wildfly to ports 8080/8443 (without root privilegies) and ask the operational system to redirect traffic from port 80 to port 8080 and port 443 to port 8443. After it, config wildfly to redirect http requests to https requests on port 443 instead 8443.
So, assuming wildfly is working with http on port 8080 and https on port 8443 in a Linux based OS as service:
1) Stop wildfly: sudo service wildfly stop
2) Add iptables commands in the startup /etc/init.d/wildfly script like:
if [ $launched -eq 0 ]; then
log_warning_msg "$DESC hasn't started within the timeout allowed"
log_warning_msg "please review file \"$JBOSS_CONSOLE_LOG\" to see the status of the service"
else
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
fi
PS: You add a rule on a table called "nat", from man pages of iptables:
nat:
This table is consulted when a packet that creates a new connection is encountered.
So, if you have requested https://localhost:443 before the rule creation, the connection wal already created, so the nat table is not applied. Try from a new device.
Where $launched is a bash variable to represent the state of wildfly
2) In the standalone.xml, create an additional socket-binding entry:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="https-external" port="443"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
...
</socket-binding-group>
Take attention to new tag entry <socket-binding name="https-external" port="443"/>
3) Change the http-listener to redirect to https-external instead https:
<http-listener name="default" socket-binding="http" redirect-socket="https-external" max-header-size=...
Where the change is redirect-socket="https-external"
4) Restart wildfly: sudo service wildfly start
After wildfly starts, verify the console.log file to see any errors report.
Thus, if your web.xml section assure confidential transport:
....
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
Wildfly will redirect the requests on port 80 or 8080 to directly to port 443 instead 8443.
Obs: It is a good idea to make backup copies of your /etc/init.d/wildfly script and standalone.xml file configuration before make any changes on them.
We want to create a cluster with two nodes, we have followed the steps of https://docs.jboss.org/author/display/ISPN/Infinispan+Server, we use the configuration file of standalone/configuration/clustered-two-nodes.xml. We have changed some ports like 8080, 9999, 4447 and 127.0.0.1 to the IP of the machine. We tried it, but it didn't work.
Is the best configuration to work with a cluster of two nodes??
Is there any step that we didn't see??
I saw several threads and it seem to be the correct way, but we tried differents configuration and it doesn't work.
Thank you
We start cluster of 2 different machines, we use tcp in the configurations. I have followed server questions but we didn't get solution to our problems.
These are our changes:
IP.IP.IP.IP = our ip.
<subsystem xmlns="urn:jboss:domain:jgroups:1.2" default-stack="${jboss.default.jgroups.stack:tcp}">
<inet-address value="${jboss.bind.address.management:IP.IP.IP.IP}"/>
<inet-address value="${jboss.bind.address:IP.IP.IP.IP}"/>
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:19999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9991}"/>
<socket-binding name="http" port="8081"/>
<socket-binding name="remoting" port="4448"/>
Most app. servers provide a way of tuning the number of WebContainer worker-threads when it goes down to tuning. Is it possible to do that in JBoss AS 7.x?
Thanks.
you can tune the HTTP Conector of the AS7 web subsystem. The available attributes you can tune for the HTTP Connector are described here The Http Connector. To define the max-connections for this connector you need change it in $JBOSS_HOME/standalone/configuration/standalone.xml or $JBOSS_HOME/domain/configuration/domain.xml
See this piece of configuration:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http"
protocol="HTTP/1.1"
scheme="http"
socket-binding="http"
max-connections="250"/>
...
</subsystem>
To define a thread pool specific for the HTTP Connector you need to use the AS7 threads subsystem like this one:
<subsystem xmlns="urn:jboss:domain:threads:1.0">
<bounded-queue-thread-pool name="http-executor" blocking="true">
<core-threads count="10" per-cpu="20" />
<queue-length count="10" per-cpu="20" />
<max-threads count="10" per-cpu="20" />
<keepalive-time time="10" unit="seconds" />
</bounded-queue-thread-pool>
</subsystem>
and then you need to reference it in the executor attribute of the HTTP Connector. See this piece of config:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http"
protocol="HTTP/1.1"
scheme="http"
socket-binding="http"
max-connections="250"
executor="http-executor"/>
...
</subsystem>
For more details about tuning the AS7 see this post JBoss AS 7 Performance tuning - Tuning Web server thread pool on the masterjboss.com.