[DEBUG] io.undertow.request: Failed to connect
java.io.IOException: UT000065: SSL must be specified to connect to a https URL
at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:94)
at io.undertow.client.UndertowClient.connect(UndertowClient.java:161)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:274)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:550)
at io.undertow.server.handlers.proxy.LoadBalancingProxyClient.getConnection(LoadBalancingProxyClient.java:340)
at io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.run(ProxyHandler.java:329)
java.io.IOException: UT000065: SSL must be specified to connect to a https URL
at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:94)
at io.undertow.client.UndertowClient.connect(UndertowClient.java:161)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:274)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:550)
at io.undertow.server.handlers.proxy.LoadBalancingProxyClient.getConnection(LoadBalancingProxyClient.java:340)
at io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.run(ProxyHandler.java:329)
loadBalancingProxyClient.addHost(url);
I'm fairly sure this is a bug, but I want to confirm prior to ticketing. It's been pointed out to me that using an HTTPS endpoint with the reverse-proxy() handler always returns a 503 service unavailable. I'd first like to note that a good job of exposing the issue isn't done here. The actual error eluded me for a bit as it comes from the io.undertow.request logger instead of the expected io.undertow.proxy logger. And furthermore, the log level of the message is "DEBUG" and not "ERROR" or at least "WARN".[DEBUG] io.undertow.request: Failed to connect
java.io.IOException: UT000065: SSL must be specified to connect to a https URL
at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:94)
at io.undertow.client.UndertowClient.connect(UndertowClient.java:161)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:274)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:550)
at io.undertow.server.handlers.proxy.LoadBalancingProxyClient.getConnection(LoadBalancingProxyClient.java:340)
at io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.run(ProxyHandler.java:329)
java.io.IOException: UT000065: SSL must be specified to connect to a https URL
at io.undertow.client.http.HttpClientProvider.connect(HttpClientProvider.java:94)
at io.undertow.client.UndertowClient.connect(UndertowClient.java:161)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.openConnection(ProxyConnectionPool.java:274)
at io.undertow.server.handlers.proxy.ProxyConnectionPool.connect(ProxyConnectionPool.java:550)
at io.undertow.server.handlers.proxy.LoadBalancingProxyClient.getConnection(LoadBalancingProxyClient.java:340)
at io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.run(ProxyHandler.java:329)The issue appears to be that the ProxyHandlerBuilder class callsloadBalancingProxyClient.addHost(url);for each host provided. The overloaded addHost() method which only accepts a URI sets the SSL flag to null and nowhere does the proxy client seem smart enough to look at the URL and default that setting accordingly.I think two changes are in order:
- The reverse-proxy() handler builder or the proxy client needs to detect HTTPS URIs and set the SSL flag
- The logging when this happens should be of an ERROR or WARN log level and ideally, present in the proxy logger.
Thanks!~BradDeveloper AdvocateOrtus Solutions, CorpE-mail: br...@coldbox.orgColdBox Platform: http://www.coldbox.org
--
You received this message because you are subscribed to the Google Groups "Undertow Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to undertow-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/undertow-dev/CALbQ1ok%3DjedLhd9kqE4jRbDxDJAzpUYAo_QjvnzY%2B3gMHMXEDw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
The issue is that there is no real way to set this from the predicate language, as the SSL object is basically a configured SSLContext, which is not really possible to represent in the predicate language. Maybe this could be expanded to pass in keystore/truststore into the proxy handle and set it up that way.
This should be detected at setup time...
... rather than on connection
The reason why this is logged at debug is because IOException is generally logged at debug (to prevent an attacker flooding the logs by just opening connections and then breaking them), the issue in this case is that we don't really discriminate between a client IO exception (where we have had issues talking to another server), vs a problem with our server connection.