Kohei Nozaki's blog 

Configuring WildFly as a standalone HTTP/HTTPS server


Posted on Sunday Feb 08, 2015 at 12:23PM in Technology


Environment

  • WildFly 8.2.0.Final

Requirement

  • WildFly runs as a regular user owning process

  • WildFly listens port 8080 and 8443

  • iptables forwards 80 and 443 to ports of WildFly is listening

  • Record combined access_log equivalent on http/https listener

  • Gzip compression enabled

Defining SSL listener

  1. Set https port to 8443

    /socket-binding-group=standard-sockets/socket-binding=https:write-attribute(name=port, value="${jboss.https.port:8443}")
  2. Put your Java KeyStore in $WILDFLY_HOME/standalone/configuration/mykeystore.jks

  3. Create a security realm named CertificateRealm

    /core-service=management/security-realm=CertificateRealm:add
    /core-service=management/security-realm=CertificateRealm/server-identity=ssl:add( \
    	keystore-path="mykeystore.jks", \
    	keystore-relative-to="jboss.server.config.dir", \
    	keystore-password="PASSPHRASE")
  4. Create a https listener:

    /subsystem=undertow/server=default-server/https-listener=myHttpsListener:add( \
    	socket-binding="https", \
    	security-realm="CertificateRealm")

Defining a socket binding for HTTP ⇒ HTTPS redirection

As default WildFly redirects to 8443 port when client attempt to enter confidential area because WildFly listen to it but in my case client needs to be redirected to port 443 instead of 8443. so I need to tell WildFly to send redirects to 443 not 8443.

/socket-binding-group=standard-sockets/socket-binding=https-external:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value="https-external")

Configuring WildFly to listen 0.0.0.0

/system-property=jboss.bind.address:add(value=0.0.0.0)

Defining combined access_log equivalent

/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
/subsystem=undertow/server=default-server/host=default-host/setting=access-log:write-attribute(name=pattern, value="%h %l %u [%t] \"%r\" %s %b \"%{i,Referer}\" \"%{i,User-Agent}\"")

Enabling gzip compression

/subsystem=undertow/configuration=filter/gzip=gzipFilter/:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=gzipFilter:add(\
 predicate="exists['%{o,Content-Type}'] and regex[pattern='(?:application/javascript|text/css|text/html|text/xml|application/json)(;.*)?', value=%{o,Content-Type}, full-match=true]")

Also sending Vary: Accept-Encoding is better for proxies. conditional insertion is best, but an issue reported about it at present time, so I’d go constant insertion this time.

/subsystem=undertow/configuration=filter/response-header=vary-header:add(header-name="Vary", header-value="Accept-Encoding")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=vary-header:add

Configuring iptables redirection

An example of /etc/sysconfig/iptables:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8080 -m comment --comment "HTTP"
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination :8443 -m comment --comment "HTTPS"
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination :10025 -m comment --comment "SMTP"
-A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination :10465 -m comment --comment "SMTPS"
-A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination :10993 -m comment --comment "IMAPS"
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "HTTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -m comment --comment "HTTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10025 -j ACCEPT -m comment --comment "SMTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10465 -j ACCEPT -m comment --comment "SMTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10993 -j ACCEPT -m comment --comment "IMAPS"
COMMIT



Comments:

Hi,

Could please guide me how to configure wildfly10 on port 80 and 443.

Please help me.

Posted by Sonu Kumar Gupta on June 18, 2016 at 08:43 PM JST #


Hi Sonu,

Do you mean the configuration which described in this entry didn't work for WildFly 10? if so which part is the problem?

Posted by Kohei on June 18, 2016 at 08:52 PM JST #


Hi,

#WildFly10 is running on default port 8080 and 8443.

We have installed ssl certificate for our domain but it only works when using url https://xyz.domain.com:8443/ag-push/

I want to run on without using port on url like this "https://xyz.domain.com/ag-push/"

Thanks for you reply.

Posted by Sonu Kumar Gupta on June 19, 2016 at 06:45 PM JST #


Hi Sonu,

Have you tried iptables redirection which described in the later part of this entry?

Posted by Kohei on June 19, 2016 at 07:33 PM JST #


Hi Kohei,

I have tried iptables redirection but no luck in my case.

Thanks.

Posted by Sonu Kumar Gupta on June 20, 2016 at 02:18 AM JST #


Hi Kohei,
I have Wildfly 10 running on Windows and I want to setup web access logging. How can I do this?
Thanks,

Posted by Ersoy Ustun on June 21, 2016 at 04:44 PM JST #


Hi Ersoy,

Have you tried the procedure which described in the section "Defining combined access_log equivalent" in this entry? just launch jboss-cli and run them.

Posted by Kohei on June 21, 2016 at 08:20 PM JST #


Hi,

Can you please help me because i am new to wildlfy... Can you send me a copy of the above example of the standalone.xml in order to figure out where to place all the things that you say?? In my ubuntu server that i run wildfly i can't find /etc/sysconfig/iptables. can you help me on that??

Thank you
Jimmy

Posted by Jimmy on June 27, 2016 at 11:04 PM JST #


Hi,
Our wildfly server is behind the Netscaler Load Balancer. I enabled the access logs, but I see only Load Balancer IP, not client IP. I did lots of things but no succuess. Any usefull help will be wellcome :)

Posted by Ersoy Ustun on June 29, 2016 at 07:55 PM JST #


Hi Jimmy,

You don't need to put the things to standalone.xml - just launch jboss-cli and run the things. as for /etc/sysconfig/iptables, please do some research with googling by "iptables ubuntu".

Posted by Kohei on July 02, 2016 at 08:20 AM JST #


Hi Ersoy,

You said Load Balancer has been configured, So have you checked https://developer.jboss.org/thread/242284?start=0&tstart=0 ? In the posting someone menitioned the pattern "%{x-forwarded-for}i" I think this would work. Have you tried this one?

Also the pattern is described in the source code of Undertow: https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/accesslog/AccessLogHandler.java#L81

If you want more help, I'd recommend JBoss Forum - there are many experts and WildFly developers watching. https://developer.jboss.org/en/wildfly

Posted by Kohei on July 02, 2016 at 08:33 AM JST #


Hi Ersoy, try this one instead:

%{i,X-Forwarded-For}

The one "%{x-forwarded-for}i" which I mentioned in the last comment seems wrong.

Posted by Kohei on July 02, 2016 at 08:37 AM JST #


Leave a Comment

HTML Syntax: NOT allowed