Use Apache 2.4.x as a secure reverse proxy for JBoss Wildfly

Quite some time ago, I wrote a post about using Apache as a secure reverse proxy for JBoss AS5. The development of both web servers and application servers has not come to a stand-still, so I felt it was time for a follow-up - not in the least because I have to configure such a set-up again myself.

This time around, Apache httpd has advanced to version 2.4 (the Ubuntu distro I'm using, 14.04 LTS, comes with version 2.4.7; the latest version available is 2.4.9); the JBoss application server has been going through versions AS6, AS7 and finally - reflecting a new naming scheme - Wildfly8 (I'm using version 8.1.0.Final).
For me, Apache is installed in /etc/apache2/, and you may install Wildfly anywhere (I'll use {$wildfly-home-dir} to denote the path).

Note: The JBoss documentation expresses a preference for mod_cluster when putting the app server behind an Apache. However, this component is - as far as I can tell - only available for httpd 2.2.x (x >= 8), and trying to included the precompiled modules in an httpd 2.4 led to errors.
I decided to keep the default Apache installation and use mod_proxy_ajp instead; that was possible since I didn't need the advantages mod_cluster advertises to have over its alternatives.

Securing the connection

To enable SSL security on the connection, enable the following parts in the /etc/apache2 directory by creating a symbolic link in the *-enabled subdirectories that point to the *-available subdirectories:

• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/ssl.conf
• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/ssl.load
• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/socache_shmcb.load
• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/rewrite.load
• /etc/apache2/sites-enabled$ sudo ln -s ../sites-available/default-ssl.conf

To make sure that all calls are made secure, redirect calls to the normal HTTP endpoints by adding an appropriate entry in the default virtual host configuration:

• In /etc/apache2/sites-enabled/000-default.conf:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Note 1: The preferred RedirectPermanent directive didn't seem to work properly for me. Maybe I just mis-configured something for that.

Note 2: An official SSL certificate needs to be purchased and installed to remove the warning browsers issue when landing on a page on the server. I'm not delving deeper into this issue here, see the mod_ssl description for details.

Enable the AJP protocol in Wildfly

To be accessible for the calls through the reverse proxy, Wildfly must expose a port on which it listens for traffic following the AJP protocol.

• Add an entry to the {$wildfly-home-dir}/standalone/configuration/standalone.xml file, in the undertow subsystem within the default-server section:

    <name="ajpListener" scheme="http" socket-binding="ajp"/>

That's all, because the corresponding socket binding is enabled by default (see bottom of that file), on port 8009.

Setting up Apache as a secure reverse proxy for Wildfly

Enable the following modules in order to be able to use mod_proxy_ajp:

• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/proxy.conf
• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/proxy.load
• /etc/apache2/mods-enabled$ sudo ln -s ../mods-available/proxy_ajp.load

Activate the secure reverse proxy to the application server:

• Add a proxying entry to the /etc/apache2/mods-enabled/proxy.conf file:

    ProxyPass / ajp://localhost:8009/

• Enable secure proxying in the /etc/apache2/sites-enabled/default-ssl.conf file:

    SSLProxyEngine on

Taking it for a test run

Now fire up the application server:

• {$wildfly-home-dir}/bin/standalone.sh

and (re)start the webserver:

• sudo service apache2 restart

and go to the root of your installation (which may be  http://localhost/  if you're trying this out locally). What you should see now is a warning from your browser, telling you the certificate that's used by the site you're trying to access is not trusted. If you choose to ignore this warning - you can, i.e. if you trust your own server - then you should be redirected to the landing page of the Wildfly installation (or anything you have deployed in the root context instead), served over a secure SSL connection.

Customizing the JNDI name(s) of the JBoss 5.1 ConnectionFactory

Customizing the JNDI name(s) of the JBoss 5.1 ConnectionFactory takes the following steps:

- Change or add the binding name(s) in the [server]/deploy/messaging/connection-factories-service.xml file:

   
      jboss.messaging:service=ServerPeer
      jboss.messaging:service=Connector,transport=bisocket
      jboss.messaging:service=PostOffice

      
         
            /ConnectionFactory
            /XAConnectionFactory
            java:/ConnectionFactory
            java:/XAConnectionFactory
            /YOUR_JNDI_NAME_HERE
         
      
  

Same goes for the clustered connection factory (defined in the same file just under the other one).

- Only if necessary (i.e. changed in the above) adjust the corresponding reference in the JMS datasource file ([server]/deploy/messaging/jms-ds.xml, this is the original file referencing the standard java:/XAConnectionFactory reference):

   
      DefaultJMSProvider
      org.jboss.jms.jndi.JNDIProviderAdapter
      java:/XAConnectionFactory
      java:/XAConnectionFactory
      java:/XAConnectionFactory
   

Now you can use whatever name you want to bind the connection factory to from within your application!

'External' Quartz on JBoss 5.1

On our current project, we have the requirement to be able to run our application on more than JBoss AS alone. When confronted with the need to schedule certain tasks, we considered a few options:

• Use EJB timers: Due to the nature of the tasks (e.g. interdependencies) this mechanism is not suitable - it's simply just not sophisticated enough.
• Use the Quartz functionality provided along with the JBoss distribution: While this may do exactly what we need, it wouldn't be portable to app servers from other vendors.

So the decision was made to use Quartz, not as readily available from JBoss but as an add-on library ('external', if you will). I found a couple of articles that pointed me in the right direction:

• "Another way to use Quartz in JBoss"
• "JBoss Quartz tutorial"
• "Scheduling a job using Jboss-5.1.0.GA and Quartz"

We used Quartz version 2.0.2 - the latest and greatest at the time I write this - and since Maven is our build tool of choice, the following dependency pulls all required libs into our project:

  org.quartz-scheduler
  quartz-jboss
  2.0.2
  provided
 

We use provided scope here since we won't be including Quartz in our project's deliverables; instead we put such dependencies on our server explicitly. Either approach would work, though.

1) Clean up your installation.

So, the first job at hand is to remove the Quartz artifacts from our JBoss installation. I guess it makes sense to prevent different versions from showing up in your classpath. The files to be removed are:

• ${jboss.home.dir}/common/lib/quartz.jar
• ${jboss.home.dir}/server/[SERVER_NAME]/deploy/quartz-ra.rar (in EAP this is an exploded RAR, so remove the directory)

Before deleting anything from the common/lib directory, be sure that there aren't any other servers running from the same AS installation that need that file!

2) Add the required Quartz libraries to you server.

The following file should be in place after this step:

• ${jboss.home.dir}/server/[SERVER_NAME]/lib/quartz-all-2.0.2.jar

That's right. Just one jar, very convenient - and the added bonus is that this already contains the stuff that's needed for deployment in other app servers, so no need to have different dependencies in different deployments.

Note that this file is not downloaded if you include the dependencies through Maven as indicated above, you have to download the full distribution to get it.

3) Add an MBean to the JBoss configuration.

The following is a simple example of a Quartz MBean configuration:

  
   Quartz
   
    org.quartz.scheduler.instanceName = DefaultQuartzScheduler
    org.quartz.threadPool.class = org.quartz.simpl.SimpleThreadPool
    org.quartz.threadPool.threadCount = 5
    org.quartz.threadPool.threadPriority = 4
    org.quartz.jobStore.class = org.quartz.simpl.RAMJobStore
   
  
 

If you use this, no extra DataSource needs to be configured and Quartz keeps its jobs in memory. For more specifics on the configuration possibilities (there are a lot!), see http://www.quartz-scheduler.org/docs/configuration/.

Put the XML above in a x-service.xml file in your server's deploy dir, like e.g.:

• ${jboss.home.dir}/server/[SERVER_NAME]/deploy/quartz-service.xml

4) Point Quartz at the jobs you want done.

Obviously it now is possible to use Quartz from code inside deployed applications. Just retrieve the scheduler from JNDI like so:

InitialContext ctx = new InitialContext();
 Scheduler scheduler = (Scheduler) ctx.lookup("Quartz");

But for our purpose this just isn't good enough, we want to be able to schedule tasks from configuration files. To accomplish that, we need to perform a number of steps:

a) Enable the Quartz plugin that reads jobs and triggers from an indicated XML file. This is done by adding the following properties to the configuration shown in step 3):

org.quartz.plugin.jobInitializer.class = org.quartz.plugins.xml.XMLSchedulingDataProcessorPlugin
   org.quartz.plugin.jobInitializer.fileNames = ${jboss.server.home.dir}/conf/quartz-jobs.xml
   org.quartz.plugin.jobInitializer.scanInterval = 120

For details on this plugin see http://www.quartz-scheduler.org/api/2.0.0/org/quartz/plugins/xml/XMLSchedulingDataProcessorPlugin.html.

b) Create a class that implements the org.quartz.Job interface for each such a task. This interface exposes exactly one method, void execute(JobExecutionContext ctx), which is called when the job is triggered.

c) Provide the quartz-jobs.xml file that is indicated in the extra configuration in step a) (the file name and path can be adjusted to your liking) with the appropriate timing to start your jobs. For our tasks we use Cron-like jobs, with the Quartz CronTrigger (see http://www.quartz-scheduler.org/api/2.0.0/org/quartz/CronTrigger.html). An example configuration is:

  
  *  
    * 
  
    true
    false 
  
  
  
   
    TestJob
    com.acme.quartz.TestJob
   

   
    
     TestCronTrigger
     TestJob
     0 0 3 ? * MON-FRI
    
   
      

 

In this example the task executed by the com.acme.quartz.TestJob class is triggered at 3:00 AM on weekdays.

One last CAVEAT: On Windows, the ${jboss.server.home.dir} expression resolves to a String that contains backward slashes ('\') instead of forward slashes as path delimiter. The way the Quartz extension for JBoss reads in the properties is not able to cope with that, so you may need to provide a full path explicitly for any file names.

Use Apache as a secure (reverse) proxy for JBoss 5 AS/EAP

This task can be divided into two independent components (configure Apache to use SSL, set up Apache as a reverse proxy for JBoss) and a single step to make those two work together. The guidelines below have been successfully tested on an Apache 2.2.17/JBoss EAP 5.1.0.GA combination, the latter using Tomcat native libs, on a single server.


Part 1: Use SSL for access to Apache

1) Download and install the Apache Httpd server (version 2.2.6 or higher, 2.2.17 is the current). The folder in which the server is installed is referred to as APACHE_HOME further on.

2) In APACHE_HOME/conf/httpd.conf, un-comment the following lines:

    LoadModule ssl_module modules/mod_ssl.so

    Include conf/extra/httpd-ssl.conf

Then comment the following one (to restrict access without SSL):

    #Listen 80

3) Put your certificate and key in the APACHE_HOME/conf folder, and (if necessary) change the names in APACHE_HOME/conf/extra/httpd-ssl.conf entries to match:

    SSLCertificateFile "[APACHE_HOME]/conf/server.crt"
    SSLCertificateKeyFile "[APACHE_HOME]/conf/server.key"

If you don’t have a CA certificate, you can create a self-signed certificate for testing purposes, see e.g. the OpenSSL FAQ how to do so. An OpenSSL executable is provided in the APACHE_HOME/bin folder.

Remark: On Windows platforms it is not possible to use the SSLPassPhraseDialog-parameter (in httpd-ssl.conf) with the default value ‘builtin’. The simplest (albeit not the safest) solution is to remove the passphrase from the key, removing the need for Apache to ask for it at startup.

4) (Re-)start the Apache server and test whether it works as expected… and don’t forget the ‘https://’!

For an extensive explanation of the SSL configuration possibilities see Apache Module ssl_mod.


Part 2: Set Apache up as a reverse proxy for JBoss

1) Download the mod_jk connector (version 1.2.15 or higher, 1.2.31 is the current), rename the ‘mod_jk-1.2.[*]-httpd-2.2.x.so’ file to ‘mod_jk.so’ and move it to the APACHE_HOME/modules folder.

2) Add the following line to APACHE_HOME/conf/httpd.conf:

    Include conf/mod-jk.conf

3) Create a new file in APACHE_HOME/conf with the name ‘mod-jk.conf’, and fill it with:

    LoadModule jk_module modules/mod_jk.so

    JkWorkersFile conf/workers.properties

    JkLogFile logs/mod_jk.log
    JkLogLevel info
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
    JkRequestLogFormat "%w %V %T"

    JkOptions +ForwardKeySize +ForwardURICompatUnparsed -ForwardDirectories

    # Mount your applications
    ###JkMount /application/* loadbalancer
    # Mount all URLs:
    JkMount /* node1

    # You can addionally use external file for mount points.
    ###JkMountFile conf/uriworkermap.properties
    # Mount file reload check interval in secs (0 = turned off).
    ###JkMountFileReload 60

    # Add shared memory. Used only on unix platforms. The shm file is used by balancer and status workers.
    ###JkShmFile run/jk.shm

    # Add jkstatus for managing runtime data:
    <Location /jkstatus/>
        JkMount status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Location>

When not all requests are to be redirected to node1 the line starting with ‘JkMount’ must be adjusted. Furthermore it is possible to use a separate properties file (using ‘JkMountFile’, with entries following the pattern ‘URL=worker’, e.g. ‘/jmx-console=node1’) if you need a more extensive redirection scheme.

In the configuration above the access to the status manager (worker with ID ‘status’) is restricted to clients running on the same host, just for illustrative purposes.

See the Tomcat connector reference for further details and possibilities.

4) Create a new file in APACHE_HOME/conf named  ‘workers.properties’,  and put the following in it:

    # Define list of workers that will be used for mapping requests

    # Define Node1
    # modify the host as your host IP or DNS name.
    worker.node1.type=ajp13
    worker.node1.host=localhost
    worker.node1.port=8009
    worker.node1.ping_mode=A
    #worker.node1.connection_pool_size=10 # Only if the number of allowed connections to the Httpd is higher than maxThreads in JBoss server.xml.
    #worker.node1.lbfactor=1 # Only used for a member worker of a load balancer.
    # For non-loadbalanced setup with a single node:
    worker.list=node1

    # Define Node2
    # modify the host as your host IP or DNS name.
    #worker.node2.type=ajp13
    #worker.node2.host= node2.mydomain.com
    #worker.node2.port=8009
    #worker.node2.ping_mode=A
    #worker.node2.connection_pool_size=10
    #worker.node2.lbfactor=1

    # Load-balancing behaviour
    #worker.loadbalancer.type=lb
    #worker.loadbalancer.balance_workers=node1,node2
    #worker.loadbalancer.sticky_session=Off # Enabled by default.
    #worker.list=loadbalancer

    # Status worker for managing load balancer
    worker.status.type=status
    worker.list=status

Most lines above are commented out, since we’re aiming for a configuration for a single node without loadbalancing. It is straightforward to add more nodes, with or without loadbalancing; just pay attention to the fact that with loadbalancing the worker.list should not refer to the separate nodes but only to the loadbalancer worker.

5) For each (JBoss-)node a ‘jvmRoute’ attribute  must be added to the <Engine>-element in JBOSS_HOME/server/[configuration]/deploy/jbossweb.sar/server.xml, using the corresponding name from the mod_jk-configuration as a parameter:

    <Engine name="jboss.web" defaulthost="localhost" jvmroute="node1">

And for JBoss AS/EAP version 5 and above that is all that is required!

6) If you didn't configure Apache to use SSL, you can now (re-)start the JBoss en Apache servers and test whether the redirecting functions as expected…
If you did configure SSL for Apache, hang on just a bit more...


Part 3: Combining the twee solutions above

To be able to access Apache using SSL after which the request is passed to the JBoss instance over AJP, one last adjustment is required:

1) Move the JkMount directives from the APACHE_HOME/conf/mod-jk.conf file to the APACHE_HOME/conf/extra/httpd-ssl.conf file, and make sure they’re within the <VirtualHost> tags:

    <VirtualHost _default_:443>

    […]

    JkMount /* node1
    <Location /jkstatus/>
        JkMount status
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Location>

    </VirtualHost>

After a restart of the Apache server the pages served by JBoss will be available over HTTPS from Apache (port 443).

Be aware that they are also still available over HTTP from JBoss directly (on port 8080), since the configuration above didn’t remove that (default) situation. To accomplish that, you should comment the HTTP connector entry in the server.xml file of jbossweb.sar.

Running jBPM 3.2.8_SOA on JBoss EAP 4.3

For my current project, I've been putting together JBoss EAP 4.3 and jBPM 3.2.8_SOA. At my company, we don't have the full JBoss SOA stack, yet do have support contracts for the two separately. Needless to say, it was unlikely that they would behave nicely together out-of-the-box...

The supported jBPM distribution comes as a zip file, lacking the installer that the community version does have. But once unzipped, there's a deploy/ directory with everything that needs to be copied onto the app server. So at a first glance it seemed straightforward enough to copy the data/ and deploy/ directories from the deploy/server/default/ folder of the unzipped distribution to the appropriate server base folder.

Wrong reference to JMS class

However, upon first starting up the server, it was indicated in the server.log file that an expected class for the MQ service MBeans (org.jboss.mq.server.jmx.Queue) could not be found. While I know this class was included in the libs distributed along with the 4.0.5 version of the app server, it is no longer found in the EAP 4.3 version and replaced since then. You'll need to replace these entries in the jbpm-mq-service.xml file (found in the deploy/jbpm directory):

    jboss.mq:service=DestinationManager



      jboss.mq:service=DestinationManager

with these:

    jboss.messaging:service=ServerPeer
    jboss.messaging:service=PostOffice



    jboss.messaging:service=ServerPeer
    jboss.messaging:service=PostOffice

and with those in place, the server starts up without any error messages in the log.

Unable to log onto the jBPM console

So the next step was trying to upload a process archive, but that plan was nipped in the bud by the login procedure of the jBPM console. Using a username-password combo that is in the default database entries (like the infamous admin/admin combo) I was denied access. The error logging threw me off at first in this case, as it complained about not being able to find the appropriate roles.properties and users.properties (e.g. like the ones provided for the JMX console). But adding these (in the deploy/jbpm/jsf-console.war/WEB-INF/classes/ directory) simply left me with a 403 Access Denied page, and no logging whatsoever!

The right answer was found in the jboss-web.xml (for the console). There the JAAS security domain is defined as "java:/jaas/soa", while in the jboss-service.xml (in the deploy/jbpm/jbpm-service.sar/META-INF/ directory) the name of the application is still "jbpm-console" - even though both are in the same distribution!

Changing

   ...

to

   ...

in the latter file does the trick, although it is just as fine when you would change the security domain in the former to "java:/jaas/jbpm-console", as long as the two are in sync.


Now with these two minor issues out of the way, I was able to deploy a simple process and run it. Not too bad for two distributions that weren't designed to work together. Possibly there are still some issues left to be solved, which I then undoubtedly will run into during the course of this project. If so, I'll simply dedicate another post about it...