403 when trying to access /mod_cluster-manager?

Question

I'm running CentOS 7 with Apache 2.4.6. I'm trying to create a Wildfly/JBoss cluster using mod_cluster 1.2.6. I've successfully accomplished this on Mac OSX, and am just trying to get it up and running in our server environment.

My cluster and virtual host config looks like this:

 LoadModule slotmem_module       modules/mod_slotmem.so
 LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
 LoadModule advertise_module     modules/mod_advertise.so
 LoadModule manager_module       modules/mod_manager.so

 MemManagerFile /var/cache/httpd

<VirtualHost *:80>

  <Directory />
    Order deny,allow
    Allow from all
  </Directory>

  KeepAliveTimeout 60
  MaxKeepAliveRequests 0
  ManagerBalancerName myBalancer
  ServerAdvertise On
  AdvertiseFrequency 3
  EnableMCPMReceive

  <Location /mod_cluster-manager>
    SetHandler mod_cluster-manager
    Order deny,allow
    Allow from all
  </Location>
</VirtualHost>

The server starts fine, however when I try to access http://localhost/mod_cluster-manager I get a 403 saying permission denied. Here is the exact message in my error_log file:

[Wed Jul 30 11:53:21.547109 2014] [authz_core:error] [pid 6012] [client 127.0.0.1:36425] AH01630: client denied by server configuration: /mod_cluster-manager

I did not encounter any such issues in getting this to work on OSX, so I'm not entirely sure what the problem is or why I'm getting a 403. As I understand it, the Allow from all directive should be enough to grant me access when connecting via localhost. Has anyone else run into anything similar? Am I missing something?

Answer 1

Getting error response " You don't have permission to access mod_cluster_manager on this server " when trying to access the management URL: http://myHttpd:6666/mod_cluster_manager

Apache 2.4 mod_cluster 1.3 required me to configure basic authentication.

Go to $HTTPD_HOME/bin and create a login account for e.g. "admin" as follows:

./htpasswd -c /etc/httpd/modclusterpassword admin

then, in your /etc/httpd/conf/httpd.conf or one of its child include file like /etc/httpd/conf.d/mod_cluster.conf, find the section under which you shall now have:

<Location /mod_cluster_manager>
  SetHandler mod_cluster-manager
  AuthType Basic
  AuthName "MCM"
  AuthUserFile /etc/httpd/modclusterpassword
  Require user admin

  Order deny,allow
  Deny from all
  Allow from all
</Location>

and restart the HTTPD service.

Now going to http://myHttpd:6666/mod_cluster_manager, will prompt for login. Use 'admin' and the password supplied interactively vi 'htpasswd' hereabove.

Answer 2

You have degraded version. Please try using as below:

<Directory />
    Order deny,allow
    Deny from all
    Allow from all
    Require all granted
</Directory>

Answer 3

Regarding configuration

Yes you are, but the fix is a trivial one: Apache HTTP Server 2.4.x employs mod_authz system requiring a slightly different configuration, e.g.: Allow MCMP messages from worker nodes in EnableMCPMReceive active VirtualHost only from your internal network 10.10.:

<Directory />
    Require ip 10.10.
</Directory>

or for development more convenient:

<Directory />
    Require all granted
</Directory>

Anyway, this is one of default configuration examples for Apache HTTP Server 2.4.x:

# Load mod_cluster modules
# Please, note:
#  - mod_cluster cannot coexist with proxy_balancer_module; disable it
#  - mod_cluster needs proxy_module and proxy_ajp_module loaded for AJP transport

LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule cluster_slotmem_module modules/mod_cluster_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule advertise_module modules/mod_advertise.so

# Place for slotmem files
MemManagerFile cache/mod_cluster

<IfModule manager_module>
  ## We suggest to use a restricted VirtualHost
  ## for receiving MCPM (Mod Cluster Protocol Message) from worker nodes. 
  Listen 6666
  <VirtualHost *:6666>
    <Directory />
      Require ip 127.0.0.1
    </Directory>
    ## Apache HTTP Server advertises its presence
    ## on 224.0.1.105:23364 by default.
    ServerAdvertise on
    EnableMCPMReceive

    ## Management and monitoring console
    <Location /mod_cluster_manager>
      SetHandler mod_cluster-manager
      Require ip 127.0.0.1
   </Location>
  </VirtualHost>
</IfModule>

Regarding mod_cluster version

Please, note that mod_cluster 1.2.6.Final is obsolete, it contains several performance and security related bugs that have been fixed in newer versions.

Definitely download mod_cluster 1.3.1.Final binaries or use mod_cluster 1.3.1.Final Apache HTTP Server enabled load balancer Docker image. You may also compile the modules yourself; the Dockerfile contents may guide you as far as Linux environment goes.