I'm confused about your configuration. You say your client is using this URL:
tcp://localhost:8890/ssl-broker?sslEnabled=true;needClientAuth=true;keyStorePath=/tmp/ssl-restclient.p12;keyStorePassword=ssl The needClientAuth parameter is only for an *acceptor* as noted in the documentation you cited [1]. Therefore, you can omit this from your URL. The keyStorePath and keyStorePassword are only needed when you're doing 2-way SSL. Are you doing 2-way SSL? Is that what you're referring to when you say "client auth stuff"? The URL doesn't include httpEnabled=true. The client won't know to use HTTP unless you tell it to so this parameter is necessary. The documentation is ambiguous on this point. When it says this parameter is no longer needed it means it is no longer needed on the *acceptor* configured in broker.xml. I'm actually not sure how the client will function with an HTTP proxy. I don't believe that's something we test, and I can't recall any other users with such a configuration. Is there a specific reason you need this proxy? Using the client over HTTP will work, but it's not ideal. Justin [1] https://activemq.apache.org/components/artemis/documentation/latest/configuring-transports.html On Wed, Jul 13, 2022 at 5:05 AM Torsten Krah <krah...@gmail.com> wrote: > Hi, > > so far I was successful configuring artemis and my client to use the > "raw" protocol with ssl support. > > Now I need to put a https proxy in between (which does need client > auth) but I am failing to get a connection to the broker - the docs [1] > have this for netty http: > > => Netty HTTP tunnels packets over the HTTP protocol. It can be useful in > scenarios where firewalls only allow HTTP traffic to pass. > > > So my broker has this listening (acceptor) url (running under the > hostname artemis and has ssl enabled) > > tcp://0.0.0.0:61616?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048 > 576;amqpMinLargeMessageSize=102400;protocols=CORE,AMQP,STOMP,HORNETQ,MQ > TT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;amqpDupli > cateDetection=true;supportAdvisory=false;suppressInternalManagementObje > cts=false;sslEnabled=true;keyStorePath=${data.dir}/../etc/ssl.p12;keySt > orePassword=ssl > > > My client uses this broker url: > > > tcp://localhost:8890/ssl-broker?sslEnabled=true;needClientAuth=true;keyStorePath=/tmp/ssl-restclient.p12;keyStorePassword=ssl > > And the httpd proxy (listening on localhost:8890 and doing the ssl + > client auth stuff) in between is configured like this (just the forward > rules - omitted the https config stuff): > > RewriteCond %{HTTP:Upgrade} websocket [NC] > RewriteCond %{HTTP:Connection} upgrade [NC] > RewriteRule ^/?(.*) "wss://artemis:61616/$1" [P,L] > > RewriteRule ^/?(.*) https://artemis:61616/$1 [P,L] > > ProxyPassReverse "/" "https://artemis:61616/"; > > > Proxy-Log output is: > > 172.17.0.1 - - [13/Jul/2022:09:39:10 +0000] "ARTEMIS" 400 226 > > and the client has this in the logs: > > Caused by: > org.apache.activemq.artemis.api.core.ActiveMQConnectionTimedOutException: > AMQ219013: Timed out waiting to receive cluster topology. Group:null > at > org.apache.activemq.artemis.core.client.impl.ServerLocatorImpl.createSessionFactory(ServerLocatorImpl.java:748) > at > org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:865) > ... 16 common frames omitted > > I am a little bit lost as the docs read for netty http: > > => With single port support Apache ActiveMQ Artemis will now automatically > detect if http is being used and configure itself. > > > So how does artemis work with netty http and https proxies in between? > Any pointers appreciated what I need to configure on the client side to > get a successful connection. > > > [1] > https://activemq.apache.org/components/artemis/documentation/latest/configuring-transports.html > > thanks > > Torsten > > > >
