From badeaa42f33c724f33ef0cd9c6c64bdb7d9d84ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Chlup?= Date: Tue, 5 Aug 2025 16:09:29 +0200 Subject: [PATCH 1/5] Follow up on MODCLUSTER-858, use port 8090 instead of 8000 --- tls-proxy-demo/README.md | 8 ++++---- tls-proxy-demo/compose.yaml | 2 +- tls-proxy-demo/httpd/Containerfile | 2 +- tls-proxy-demo/httpd/mod_proxy_cluster.conf | 2 +- tls-proxy-demo/tomcat/server.xml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tls-proxy-demo/README.md b/tls-proxy-demo/README.md index e08f584..c2d9a95 100644 --- a/tls-proxy-demo/README.md +++ b/tls-proxy-demo/README.md @@ -14,7 +14,7 @@ script generates a root certificate and builds the two container images the demo use this root certificate to generate their own; check the corresponding files for details). Then inspect the `compose.yaml` file that instructs podman-compose which containers to run with -which properties. We're using port 8000 for httpd, and ports 8080, 8081 for Tomcats; all of them are +which properties. We're using port 8090 for httpd, and ports 8080, 8081 for Tomcats; all of them are exposed to the localhost. ``` @@ -26,11 +26,11 @@ the warning (preferred) or import the created certificate among trusted ones. If everything works as expected, you can visit -* [https://localhost:8000/](https://localhost:8000/) +* [https://localhost:8090/](https://localhost:8090/) * to check whether httpd runs -* [https://localhost:8000/mod_cluster_manager](https://localhost:8000/mod_cluster_manager) +* [https://localhost:8090/mod_cluster_manager](https://localhost:8090/mod_cluster_manager) * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time) @@ -42,7 +42,7 @@ If everything works as expected, you can visit * to check the application on the second tomcat -* [https://localhost:8000/app/app.jsp](https://localhost:8000/app/app.jsp) +* [https://localhost:8090/app/app.jsp](https://localhost:8090/app/app.jsp) * to access the application through proxy * in case you're accessing through the browser, pay attention to the session cookies (they are honored by the balancer by default) diff --git a/tls-proxy-demo/compose.yaml b/tls-proxy-demo/compose.yaml index 4b82d42..20d38fe 100644 --- a/tls-proxy-demo/compose.yaml +++ b/tls-proxy-demo/compose.yaml @@ -2,7 +2,7 @@ services: httpd: image: httpd-mpc-ssl ports: - - "8000:8000" + - "8090:8090" networks: - ssl-demo diff --git a/tls-proxy-demo/httpd/Containerfile b/tls-proxy-demo/httpd/Containerfile index cc75d5a..c98db65 100644 --- a/tls-proxy-demo/httpd/Containerfile +++ b/tls-proxy-demo/httpd/Containerfile @@ -18,7 +18,7 @@ RUN mkdir /httpd && tar xvf $(filename $HTTPD) --strip 1 -C /httpd WORKDIR /httpd -RUN ./configure --with-port=8000 +RUN ./configure --with-port=8090 RUN make RUN make install diff --git a/tls-proxy-demo/httpd/mod_proxy_cluster.conf b/tls-proxy-demo/httpd/mod_proxy_cluster.conf index ddeb3af..43b9799 100644 --- a/tls-proxy-demo/httpd/mod_proxy_cluster.conf +++ b/tls-proxy-demo/httpd/mod_proxy_cluster.conf @@ -15,7 +15,7 @@ ManagerBalancerName mycluster CreateBalancers 0 EnableOptions On - + SSLEngine on SSLCertificateFile certs/ssl-demo.crt SSLCertificateKeyFile certs/ssl-demo-private.key diff --git a/tls-proxy-demo/tomcat/server.xml b/tls-proxy-demo/tomcat/server.xml index 9b9c5a9..df460ea 100644 --- a/tls-proxy-demo/tomcat/server.xml +++ b/tls-proxy-demo/tomcat/server.xml @@ -22,7 +22,7 @@ Date: Thu, 21 Aug 2025 15:19:48 +0200 Subject: [PATCH 2/5] Exit from setup.sh if podman build fails --- tls-proxy-demo/setup.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tls-proxy-demo/setup.sh b/tls-proxy-demo/setup.sh index 4d02621..a08b542 100644 --- a/tls-proxy-demo/setup.sh +++ b/tls-proxy-demo/setup.sh @@ -1,8 +1,7 @@ echo "Setting up the demo" # create root certificate -mkdir ca || true -cd ca +mkdir -p ca && cd ca openssl req -x509 -sha256 -days 7 -nodes -newkey rsa:4096 -subj "/CN=localhost" -keyout rootCA.key -out rootCA.crt # we'll use it with both containers, tomcat and httpd cp rootCA.crt rootCA.key ../tomcat/certs/ @@ -13,13 +12,13 @@ echo "root certificate done" # let's build the images cd tomcat -podman build . -t tomcat-ssl +podman build . -t tomcat-ssl || exit 1 cd .. echo "tomcat container image done" cd httpd -podman build . -t httpd-mpc-ssl +podman build . -t httpd-mpc-ssl || exit 2 cd .. echo "httpd + mod_proxy_cluster container image done" From 12f030ddbb98414a25d41ffda218f4fa4d516c51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Chlup?= Date: Thu, 21 Aug 2025 15:24:11 +0200 Subject: [PATCH 3/5] Polish containerfiles, upgrade httpd to 2.4.65 --- tls-proxy-demo/httpd/Containerfile | 4 ++-- tls-proxy-demo/tomcat/Containerfile | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/tls-proxy-demo/httpd/Containerfile b/tls-proxy-demo/httpd/Containerfile index c98db65..cc5871b 100644 --- a/tls-proxy-demo/httpd/Containerfile +++ b/tls-proxy-demo/httpd/Containerfile @@ -1,6 +1,6 @@ FROM fedora:latest AS builder -ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.63.tar.gz" +ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.65.tar.gz" ARG MPC_SOURCES="https://github.com/modcluster/mod_proxy_cluster/archive/refs/heads/main.zip" RUN dnf install gcc apr-devel apr-util-devel openssl openssl-devel pcre-devel redhat-rpm-config autoconf wcstools -y @@ -18,7 +18,7 @@ RUN mkdir /httpd && tar xvf $(filename $HTTPD) --strip 1 -C /httpd WORKDIR /httpd -RUN ./configure --with-port=8090 +RUN ./configure --with-port=8000 RUN make RUN make install diff --git a/tls-proxy-demo/tomcat/Containerfile b/tls-proxy-demo/tomcat/Containerfile index f149cc2..e694b45 100644 --- a/tls-proxy-demo/tomcat/Containerfile +++ b/tls-proxy-demo/tomcat/Containerfile @@ -15,11 +15,10 @@ RUN ls RUN unzip $(basename ${MC_SOURCE}) && \ mv mod_cluster-* mod_cluster && \ cd mod_cluster && \ - mvn clean install + mvn clean install && \ + unzip dist/target/mod_cluster-distribution-*-tomcat-11.0.zip && \ + cp mod_cluster-distribution-*/lib/*.jar /usr/local/tomcat/lib/ -WORKDIR /usr/local/tomcat - -COPY target/*.jar lib/ RUN mkdir webapps-javaee COPY server.xml conf/server.xml From dbe3d8c20dbf92b43578774f4adf9354f56cef17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Chlup?= Date: Thu, 21 Aug 2025 15:30:21 +0200 Subject: [PATCH 4/5] Update certificates creation, separate MCMP from proxied app --- tls-proxy-demo/compose.yaml | 1 + tls-proxy-demo/httpd/mod_proxy_cluster.conf | 23 ++++++++++++++------- tls-proxy-demo/tomcat/server.xml | 18 ++++++++++------ tls-proxy-demo/tomcat/start.sh | 10 +++------ 4 files changed, 31 insertions(+), 21 deletions(-) diff --git a/tls-proxy-demo/compose.yaml b/tls-proxy-demo/compose.yaml index 20d38fe..c92b79f 100644 --- a/tls-proxy-demo/compose.yaml +++ b/tls-proxy-demo/compose.yaml @@ -2,6 +2,7 @@ services: httpd: image: httpd-mpc-ssl ports: + - "8000:8000" - "8090:8090" networks: - ssl-demo diff --git a/tls-proxy-demo/httpd/mod_proxy_cluster.conf b/tls-proxy-demo/httpd/mod_proxy_cluster.conf index 43b9799..9c1b4a5 100644 --- a/tls-proxy-demo/httpd/mod_proxy_cluster.conf +++ b/tls-proxy-demo/httpd/mod_proxy_cluster.conf @@ -7,26 +7,33 @@ LoadModule manager_module modules/mod_manager.so LoadModule proxy_cluster_module modules/mod_proxy_cluster.so -ProxyPreserveHost On - ServerName httpd -ManagerBalancerName mycluster CreateBalancers 0 EnableOptions On +ProxyPreserveHost On - - SSLEngine on - SSLCertificateFile certs/ssl-demo.crt - SSLCertificateKeyFile certs/ssl-demo-private.key - SSLCACertificateFile certs/rootCA.crt +SSLEngine on +SSLCertificateFile certs/ssl-demo.crt +SSLCertificateKeyFile certs/ssl-demo-private.key +SSLCACertificateFile certs/rootCA.crt +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +Listen 8090 + SSLProxyEngine On SSLProxyCACertificateFile certs/rootCA.crt SSLProxyMachineCertificateFile certs/ssl-demo.crt + # port 8090 will accept MCMP commands EnableMCMPReceive + # and will require clients to authenticate using trusted certificates + SSLVerifyClient require + SSLVerifyDepth 1 + + + # for demo purposes, do not expose the manager in production SetHandler mod_cluster-manager diff --git a/tls-proxy-demo/tomcat/server.xml b/tls-proxy-demo/tomcat/server.xml index df460ea..fa19e6d 100644 --- a/tls-proxy-demo/tomcat/server.xml +++ b/tls-proxy-demo/tomcat/server.xml @@ -25,8 +25,10 @@ proxyList="httpd:8090" ssl="true" sslKeyAlias="tomcat" - sslTrustStorePassword="changeit" - sslTrustStore="/root/.keystore" /> + sslKeyStore="certs/mycert.p12" + sslTrustStorePassword="truststorepass" + sslTrustStore="certs/truststore.p12" + /> @@ -64,11 +66,15 @@ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> + SSLEnabled="true" scheme="https" secure="true" address="tomcat_address" > - - + + + diff --git a/tls-proxy-demo/tomcat/start.sh b/tls-proxy-demo/tomcat/start.sh index 5e9f5c5..35d8e46 100644 --- a/tls-proxy-demo/tomcat/start.sh +++ b/tls-proxy-demo/tomcat/start.sh @@ -19,15 +19,11 @@ openssl pkcs12 -export \ -chain \ -out mycert.p12 \ -name tomcat \ - -password pass:changeit && \ + -password pass:changeit -keytool -importkeystore \ - -destkeystore /root/.keystore \ - -deststorepass changeit \ - -srcstorepass changeit \ - -srckeystore mycert.p12 \ - -trustcacerts +keytool -importcert -trustcacerts -file rootCA.crt -keystore truststore.p12 -storepass truststorepass -storetype PKCS12 -noprompt cd .. bin/catalina.sh run + From 8a74bef1405f58b8972c6970be979a8d5a5068d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20Chlup?= Date: Thu, 21 Aug 2025 16:41:54 +0200 Subject: [PATCH 5/5] Update README, add a security note, fix format --- tls-proxy-demo/README.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/tls-proxy-demo/README.md b/tls-proxy-demo/README.md index c2d9a95..4fcb635 100644 --- a/tls-proxy-demo/README.md +++ b/tls-proxy-demo/README.md @@ -14,26 +14,19 @@ script generates a root certificate and builds the two container images the demo use this root certificate to generate their own; check the corresponding files for details). Then inspect the `compose.yaml` file that instructs podman-compose which containers to run with -which properties. We're using port 8090 for httpd, and ports 8080, 8081 for Tomcats; all of them are -exposed to the localhost. +which properties. We're using ports 8000 (serving applications), 8090 (MCMP communication) for httpd, and +ports 8080, 8081 for Tomcats; all of them are exposed to the localhost. -``` -**NOTE** - -Given we created our own certificate, you will get a warning in most web browsers. Either disregard -the warning (preferred) or import the created certificate among trusted ones. -``` +> [!NOTE] +> Given we created our own certificate, you will get a warning in most web browsers. Either disregard +> the warning (preferred) or import the created certificate among trusted ones. If everything works as expected, you can visit -* [https://localhost:8090/](https://localhost:8090/) +* [https://localhost:8000/](https://localhost:8000/) * to check whether httpd runs -* [https://localhost:8090/mod_cluster_manager](https://localhost:8090/mod_cluster_manager) - - * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time) - * [https://localhost:8080/app/app.jsp](https://localhost:8080/app/app.jsp) * to check the application on the first tomcat @@ -42,8 +35,18 @@ If everything works as expected, you can visit * to check the application on the second tomcat -* [https://localhost:8090/app/app.jsp](https://localhost:8090/app/app.jsp) +* [https://localhost:8000/app/app.jsp](https://localhost:8000/app/app.jsp) * to access the application through proxy * in case you're accessing through the browser, pay attention to the session cookies (they are honored by the balancer by default) +* [https://localhost:8000/mod\_cluster\_manager](https://localhost:8000/mod_cluster_manager) + + * note that this should NOT be accessible from the internet as it permits changing settings of the proxy (it's exposed only for the demonstration purposes) + * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time for them to appear) + + +> [!CAUTION] +> Do not use this setup in production. The mod\_cluster\_manager page should not be accessible to outsiders. The same applies +> to the Tomcat containers. In real world use case you would expose the port `8000` only. +