modcluster · rhusar · Sep 2, 2025 · Aug 5, 2025 · Aug 21, 2025 · Aug 21, 2025
@@ -14,26 +14,19 @@ script generates a root certificate and builds the two container images the demo
 use this root certificate to generate their own; check the corresponding files for details).
 
 Then inspect the `compose.yaml` file that instructs podman-compose which containers to run with
-which properties. We're using port 8000 for httpd, and ports 8080, 8081 for Tomcats; all of them are
-exposed to the localhost.
+which properties. We're using ports 8000 (serving applications), 8090 (MCMP communication) for httpd, and
+ports 8080, 8081 for Tomcats; all of them are exposed to the localhost.
 
-```
-**NOTE**
-
-Given we created our own certificate, you will get a warning in most web browsers. Either disregard
-the warning (preferred) or import the created certificate among trusted ones.
-```
+> [!NOTE]
+> Given we created our own certificate, you will get a warning in most web browsers. Either disregard
+> the warning (preferred) or import the created certificate among trusted ones.
 
 If everything works as expected, you can visit
 
 * [https://localhost:8000/](https://localhost:8000/)
 
     * to check whether httpd runs
 
-* [https://localhost:8000/mod_cluster_manager](https://localhost:8000/mod_cluster_manager)
-
-    * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time)
-
 * [https://localhost:8080/app/app.jsp](https://localhost:8080/app/app.jsp)
 
     * to check the application on the first tomcat
@@ -47,3 +40,13 @@ If everything works as expected, you can visit
     * to access the application through proxy
     * in case you're accessing through the browser, pay attention to the session cookies (they are honored by the balancer by default)
 
+* [https://localhost:8000/mod\_cluster\_manager](https://localhost:8000/mod_cluster_manager)
+
+    * note that this should NOT be accessible from the internet as it permits changing settings of the proxy (it's exposed only for the demonstration purposes)
+    * to check whether cluster manager is running and whether the proxy sees the two Tomcat instances (it takes a little bit of time for them to appear)
+
+
+> [!CAUTION]
+> Do not use this setup in production. The mod\_cluster\_manager page should not be accessible to outsiders. The same applies
+> to the Tomcat containers. In real world use case you would expose the port `8000` only.
+
@@ -3,6 +3,7 @@ services:
     image: httpd-mpc-ssl
     ports:
       - "8000:8000"
+      - "8090:8090"
     networks:
       - ssl-demo
 

@@ -1,6 +1,6 @@
 FROM fedora:latest AS builder
 
-ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.63.tar.gz"
+ARG HTTPD_SOURCES="https://dlcdn.apache.org/httpd/httpd-2.4.65.tar.gz"
 ARG MPC_SOURCES="https://github.com/modcluster/mod_proxy_cluster/archive/refs/heads/main.zip"
 
 RUN dnf install gcc apr-devel apr-util-devel openssl openssl-devel pcre-devel redhat-rpm-config autoconf wcstools -y

@@ -7,26 +7,33 @@ LoadModule manager_module       modules/mod_manager.so
 LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
 
 
-ProxyPreserveHost On
-
 ServerName httpd
-ManagerBalancerName mycluster
 
 CreateBalancers 0
 EnableOptions On
+ProxyPreserveHost On
 
-<VirtualHost *:8000>
-    SSLEngine on
-    SSLCertificateFile      certs/ssl-demo.crt
-    SSLCertificateKeyFile   certs/ssl-demo-private.key
-    SSLCACertificateFile    certs/rootCA.crt
+SSLEngine on
+SSLCertificateFile      certs/ssl-demo.crt
+SSLCertificateKeyFile   certs/ssl-demo-private.key
+SSLCACertificateFile    certs/rootCA.crt
+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
+Listen 8090
+<VirtualHost *:8090>
     SSLProxyEngine On
     SSLProxyCACertificateFile      certs/rootCA.crt
     SSLProxyMachineCertificateFile certs/ssl-demo.crt
 
+    # port 8090 will accept MCMP commands
     EnableMCMPReceive
+    # and will require clients to authenticate using trusted certificates
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+</VirtualHost>
 
+<VirtualHost *:8000>
+    # for demo purposes, do not expose the manager in production
     <Location /mod_cluster_manager>
         SetHandler mod_cluster-manager
     </Location>

@@ -1,8 +1,7 @@
 echo "Setting up the demo"
 
 # create root certificate
-mkdir ca || true
-cd ca
+mkdir -p ca && cd ca
 openssl req -x509 -sha256 -days 7 -nodes -newkey rsa:4096 -subj "/CN=localhost" -keyout rootCA.key -out rootCA.crt
 # we'll use it with both containers, tomcat and httpd
 cp rootCA.crt rootCA.key ../tomcat/certs/
@@ -13,13 +12,13 @@ echo "root certificate done"
 
 # let's build the images
 cd tomcat
-podman build . -t tomcat-ssl
+podman build . -t tomcat-ssl || exit 1
 cd ..
 
 echo "tomcat container image done"
 
 cd httpd
-podman build . -t httpd-mpc-ssl
+podman build . -t httpd-mpc-ssl || exit 2
 cd ..
 
 echo "httpd + mod_proxy_cluster container image done"

@@ -15,11 +15,10 @@ RUN ls
 RUN unzip $(basename ${MC_SOURCE}) && \
     mv mod_cluster-* mod_cluster && \
     cd mod_cluster && \
-    mvn clean install
+    mvn clean install && \
+    unzip dist/target/mod_cluster-distribution-*-tomcat-11.0.zip && \
+    cp mod_cluster-distribution-*/lib/*.jar /usr/local/tomcat/lib/
 
-WORKDIR /usr/local/tomcat
-
-COPY target/*.jar lib/
 RUN mkdir webapps-javaee 
 
 COPY server.xml  conf/server.xml

@@ -22,11 +22,13 @@
 <Server port="8005" shutdown="SHUTDOWN">
   <Listener className="org.jboss.modcluster.container.tomcat.ModClusterListener"
             connectorPort="tomcat_port"
-            proxyList="httpd:8000"
+            proxyList="httpd:8090"
             ssl="true"
             sslKeyAlias="tomcat"
-            sslTrustStorePassword="changeit"
-            sslTrustStore="/root/.keystore" />
+            sslKeyStore="certs/mycert.p12"
+            sslTrustStorePassword="truststorepass"
+            sslTrustStore="certs/truststore.p12"
+   />
 
   <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
   <!-- OpenSSL support using Tomcat Native -->
@@ -64,11 +66,15 @@
          Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
 -->
     <Connector port="tomcat_port" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" address="tomcat_address" >
+               SSLEnabled="true" scheme="https" secure="true" address="tomcat_address" >
 <!--        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> -->
-        <SSLHostConfig>
-            <Certificate certificateKeystoreFile="/root/.keystore"
-                         certificateKeystorePassword="changeit" type="RSA" keyAlias="tomcat" />
+        <SSLHostConfig truststoreFile="certs/truststore.p12" truststorePassword="truststorepass" truststoreType="PKCS12" >
+            <Certificate certificateKeyAlias="tomcat"
+                         certificateKeystoreFile="certs/mycert.p12"
+                         certificateKeystorePassword="changeit"
+                         type="RSA"
+            />
+
         </SSLHostConfig>
     </Connector>
 

@@ -19,15 +19,11 @@ openssl pkcs12 -export \
        -chain \
        -out mycert.p12 \
        -name tomcat \
-       -password pass:changeit && \
+       -password pass:changeit
 
-keytool -importkeystore \
-        -destkeystore /root/.keystore \
-        -deststorepass changeit \
-        -srcstorepass changeit \
-        -srckeystore mycert.p12 \
-        -trustcacerts
+keytool -importcert -trustcacerts -file rootCA.crt -keystore truststore.p12 -storepass truststorepass -storetype PKCS12 -noprompt
 
 cd ..
 
 bin/catalina.sh run
+