diff --git a/tls-proxy-demo/README.md b/tls-proxy-demo/README.md index e08f584..4fcb635 100644 --- a/tls-proxy-demo/README.md +++ b/tls-proxy-demo/README.md @@ -14,15 +14,12 @@ script generates a root certificate and builds the two container images the demo use this root certificate to generate their own; check the corresponding files for details). Then inspect the `compose.yaml` file that instructs podman-compose which containers to run with -which properties. We're using port 8000 for httpd, and ports 8080, 8081 for Tomcats; all of them are -exposed to the localhost. +which properties. We're using ports 8000 (serving applications), 8090 (MCMP communication) for httpd, and +ports 8080, 8081 for Tomcats; all of them are exposed to the localhost. -``` -**NOTE** - -Given we created our own certificate, you will get a warning in most web browsers. Either disregard -the warning (preferred) or import the created certificate among trusted ones. -``` +> [!NOTE] +> Given we created our own certificate, you will get a warning in most web browsers. Either disregard +> the warning (preferred) or import the created certificate among trusted ones. If everything works as expected, you can visit @@ -30,10 +27,6 @@ If everything works as expected, you can visit * to check whether httpd runs -* [https://localhost:8000/mod_cluster_manager](https://localhost:8000/mod_cluster_manager) - - * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time) - * [https://localhost:8080/app/app.jsp](https://localhost:8080/app/app.jsp) * to check the application on the first tomcat @@ -47,3 +40,13 @@ If everything works as expected, you can visit * to access the application through proxy * in case you're accessing through the browser, pay attention to the session cookies (they are honored by the balancer by default) +* [https://localhost:8000/mod\_cluster\_manager](https://localhost:8000/mod_cluster_manager) + + * note that this should NOT be accessible from the internet as it permits changing settings of the proxy (it's exposed only for the demonstration purposes) + * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time for them to appear) + + +> [!CAUTION] +> Do not use this setup in production. The mod\_cluster\_manager page should not be accessible to outsiders. The same applies +> to the Tomcat containers. In real world use case you would expose the port `8000` only. + diff --git a/tls-proxy-demo/compose.yaml b/tls-proxy-demo/compose.yaml index 4b82d42..c92b79f 100644 --- a/tls-proxy-demo/compose.yaml +++ b/tls-proxy-demo/compose.yaml @@ -3,6 +3,7 @@ services: image: httpd-mpc-ssl ports: - "8000:8000" + - "8090:8090" networks: - ssl-demo diff --git a/tls-proxy-demo/httpd/Containerfile b/tls-proxy-demo/httpd/Containerfile index cc75d5a..cc5871b 100644 --- a/tls-proxy-demo/httpd/Containerfile +++ b/tls-proxy-demo/httpd/Containerfile @@ -1,6 +1,6 @@ FROM fedora:latest AS builder -ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.63.tar.gz" +ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.65.tar.gz" ARG MPC_SOURCES="https://github.com/modcluster/mod_proxy_cluster/archive/refs/heads/main.zip" RUN dnf install gcc apr-devel apr-util-devel openssl openssl-devel pcre-devel redhat-rpm-config autoconf wcstools -y diff --git a/tls-proxy-demo/httpd/mod_proxy_cluster.conf b/tls-proxy-demo/httpd/mod_proxy_cluster.conf index ddeb3af..9c1b4a5 100644 --- a/tls-proxy-demo/httpd/mod_proxy_cluster.conf +++ b/tls-proxy-demo/httpd/mod_proxy_cluster.conf @@ -7,26 +7,33 @@ LoadModule manager_module modules/mod_manager.so LoadModule proxy_cluster_module modules/mod_proxy_cluster.so -ProxyPreserveHost On - ServerName httpd -ManagerBalancerName mycluster CreateBalancers 0 EnableOptions On +ProxyPreserveHost On - - SSLEngine on - SSLCertificateFile certs/ssl-demo.crt - SSLCertificateKeyFile certs/ssl-demo-private.key - SSLCACertificateFile certs/rootCA.crt +SSLEngine on +SSLCertificateFile certs/ssl-demo.crt +SSLCertificateKeyFile certs/ssl-demo-private.key +SSLCACertificateFile certs/rootCA.crt +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +Listen 8090 + SSLProxyEngine On SSLProxyCACertificateFile certs/rootCA.crt SSLProxyMachineCertificateFile certs/ssl-demo.crt + # port 8090 will accept MCMP commands EnableMCMPReceive + # and will require clients to authenticate using trusted certificates + SSLVerifyClient require + SSLVerifyDepth 1 + + + # for demo purposes, do not expose the manager in production SetHandler mod_cluster-manager diff --git a/tls-proxy-demo/setup.sh b/tls-proxy-demo/setup.sh index 4d02621..a08b542 100644 --- a/tls-proxy-demo/setup.sh +++ b/tls-proxy-demo/setup.sh @@ -1,8 +1,7 @@ echo "Setting up the demo" # create root certificate -mkdir ca || true -cd ca +mkdir -p ca && cd ca openssl req -x509 -sha256 -days 7 -nodes -newkey rsa:4096 -subj "/CN=localhost" -keyout rootCA.key -out rootCA.crt # we'll use it with both containers, tomcat and httpd cp rootCA.crt rootCA.key ../tomcat/certs/ @@ -13,13 +12,13 @@ echo "root certificate done" # let's build the images cd tomcat -podman build . -t tomcat-ssl +podman build . -t tomcat-ssl || exit 1 cd .. echo "tomcat container image done" cd httpd -podman build . -t httpd-mpc-ssl +podman build . -t httpd-mpc-ssl || exit 2 cd .. echo "httpd + mod_proxy_cluster container image done" diff --git a/tls-proxy-demo/tomcat/Containerfile b/tls-proxy-demo/tomcat/Containerfile index f149cc2..e694b45 100644 --- a/tls-proxy-demo/tomcat/Containerfile +++ b/tls-proxy-demo/tomcat/Containerfile @@ -15,11 +15,10 @@ RUN ls RUN unzip $(basename ${MC_SOURCE}) && \ mv mod_cluster-* mod_cluster && \ cd mod_cluster && \ - mvn clean install + mvn clean install && \ + unzip dist/target/mod_cluster-distribution-*-tomcat-11.0.zip && \ + cp mod_cluster-distribution-*/lib/*.jar /usr/local/tomcat/lib/ -WORKDIR /usr/local/tomcat - -COPY target/*.jar lib/ RUN mkdir webapps-javaee COPY server.xml conf/server.xml diff --git a/tls-proxy-demo/tomcat/server.xml b/tls-proxy-demo/tomcat/server.xml index 9b9c5a9..fa19e6d 100644 --- a/tls-proxy-demo/tomcat/server.xml +++ b/tls-proxy-demo/tomcat/server.xml @@ -22,11 +22,13 @@ + sslKeyStore="certs/mycert.p12" + sslTrustStorePassword="truststorepass" + sslTrustStore="certs/truststore.p12" + /> @@ -64,11 +66,15 @@ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> + SSLEnabled="true" scheme="https" secure="true" address="tomcat_address" > - - + + + diff --git a/tls-proxy-demo/tomcat/start.sh b/tls-proxy-demo/tomcat/start.sh index 5e9f5c5..35d8e46 100644 --- a/tls-proxy-demo/tomcat/start.sh +++ b/tls-proxy-demo/tomcat/start.sh @@ -19,15 +19,11 @@ openssl pkcs12 -export \ -chain \ -out mycert.p12 \ -name tomcat \ - -password pass:changeit && \ + -password pass:changeit -keytool -importkeystore \ - -destkeystore /root/.keystore \ - -deststorepass changeit \ - -srcstorepass changeit \ - -srckeystore mycert.p12 \ - -trustcacerts +keytool -importcert -trustcacerts -file rootCA.crt -keystore truststore.p12 -storepass truststorepass -storetype PKCS12 -noprompt cd .. bin/catalina.sh run +