Kohei Nozaki's blog 

Configuring WildFly as a standalone HTTP/HTTPS server

Posted on Sunday Feb 08, 2015 at 12:23PM in Technology

Environment

  • WildFly 8.2.0.Final

Requirement

  • WildFly runs as a regular user owning process

  • WildFly listens port 8080 and 8443

  • iptables forwards 80 and 443 to ports of WildFly is listening

  • Record combined access_log equivalent on http/https listener

  • Gzip compression enabled

Defining SSL listener

  1. Set https port to 8443

    /socket-binding-group=standard-sockets/socket-binding=https:write-attribute(name=port, value="${jboss.https.port:8443}")

  2. Put your Java KeyStore in $WILDFLY_HOME/standalone/configuration/mykeystore.jks

  3. Create a security realm named CertificateRealm

    /core-service=management/security-realm=CertificateRealm:add
/core-service=management/security-realm=CertificateRealm/server-identity=ssl:add( \
	keystore-path="mykeystore.jks", \
	keystore-relative-to="jboss.server.config.dir", \
	keystore-password="PASSPHRASE")

  4. Create a https listener:

    /subsystem=undertow/server=default-server/https-listener=myHttpsListener:add( \
	socket-binding="https", \
	security-realm="CertificateRealm")

Defining a socket binding for HTTP ⇒ HTTPS redirection

As default WildFly redirects to 8443 port when client attempt to enter confidential area because WildFly listen to it but in my case client needs to be redirected to port 443 instead of 8443. so I need to tell WildFly to send redirects to 443 not 8443.

/socket-binding-group=standard-sockets/socket-binding=https-external:add(port=443)
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value="https-external")

Configuring WildFly to listen 0.0.0.0

/system-property=jboss.bind.address:add(value=0.0.0.0)

Defining combined access_log equivalent

/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add
/subsystem=undertow/server=default-server/host=default-host/setting=access-log:write-attribute(name=pattern, value="%h %l %u [%t] \"%r\" %s %b \"%{i,Referer}\" \"%{i,User-Agent}\"")

Enabling gzip compression

/subsystem=undertow/configuration=filter/gzip=gzipFilter/:add
/subsystem=undertow/server=default-server/host=default-host/filter-ref=gzipFilter:add(\
 predicate="exists['%{o,Content-Type}'] and regex[pattern='(?:application/javascript|text/css|text/html|text/xml|application/json)(;.*)?', value=%{o,Content-Type}, full-match=true]")

Also sending Vary: Accept-Encoding is better for proxies. conditional insertion is best, but an issue reported about it at present time, so I’d go constant insertion this time.

/subsystem=undertow/configuration=filter/response-header=vary-header:add(header-name="Vary", header-value="Accept-Encoding")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=vary-header:add

Configuring iptables redirection

An example of /etc/sysconfig/iptables:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :8080 -m comment --comment "HTTP"
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination :8443 -m comment --comment "HTTPS"
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination :10025 -m comment --comment "SMTP"
-A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination :10465 -m comment --comment "SMTPS"
-A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination :10993 -m comment --comment "IMAPS"
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -m comment --comment "HTTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -m comment --comment "HTTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10025 -j ACCEPT -m comment --comment "SMTP"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10465 -j ACCEPT -m comment --comment "SMTPS"
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10993 -j ACCEPT -m comment --comment "IMAPS"
COMMIT

References

Comments [12]

Tags: ssl wildfly

About Me

Java backend engineer obsessed with test driven development. Apache Roller committer. kohei at apache dot org

Archives

« February 2015 »
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today

Hot tags

Here are the most frequently used tags in the blog. Hover over a tag to see the number of posts, click a tag to see the most recent posts with the tag.

Recent entries

Recent comments

Twitter