dockeractivemq-artemishawtiojolokia

ActiveMQ Artemis GUI Jolokia access in docker container

I'm running ActiveMQ Artemis inside of docker containers for our three environments (DEV/QA/PROD).

The management console typically runs on port 8161 and so I included this in the artemis create statement when I created the broker.

--http-host 0.0.0.0 --http-port 8161

So this causes the following two changes that I can see:

  1. bootstrap.xml gets the host/port: 

    <web bind="http://0.0.0.0:8161" path="web">
   <app url="redhat-branding" war="redhat-branding.war"/>
   <app url="artemis-plugin" war="artemis-plugin.war"/>
   <app url="dispatch-hawtio-console" war="dispatch-hawtio-console.war"/>
   <app url="console" war="console.war"/>
</web>

  2. jolokia-access.xml gets the host/port:

    <allow-origin>*://0.0.0.0*</allow-origin>

I'm trying to access the ActiveMQ Artemis Hawtio management console from a remote computer, but the exposed docker ports are not 8161. They're the mapped ports 38161, 48161, & 58161.

So when I login to the management console, I get:

Operation unknown failed due to: java.lang.Exception : Origin http://10.0.20.2:58161 is not allowed to call this agent
Uncaught TypeError: Cannot read property 'apply' of undefined (http://10.0.20.2:58161/console/app/app.js:16:14127)
Uncaught TypeError: Cannot read property 'apply' of undefined (http://10.0.20.2:58161/console/app/app.js:16:14127)
...
Solution

  • I believe the problem here is that your jolokia-access.xml using this:

    <allow-origin>*://0.0.0.0*</allow-origin>

    However, you're attempting to access the console via http://10.0.20.2:58161 which isn't allowed based on your jolokia-access.xml. Therefore you need to change the jolokia-access.xml to allow the IP:port you're actually going to use to connect.

    You can read more about the jolokia-access.xml in the Jolokia security documentation.

    For clarity's sake, the meta-address 0.0.0.0 is basically the "no particular address" placeholder and in the context of binding a listener to a network interface it means the listener should bind/listen to all interfaces. However, in the context of <allow-origin> for Jolokia security it doesn't mean allow all origins. The <allow-origin> supports literal matches and wild-cards (as noted in the documentation linked above). Therefore, if 0.0.0.0 is specified it attempts to literally match 0.0.0.0. There is no way to disable Jolokia security from the create command. If you were to pass something like --http-host 10.0.20.* to the create command then 10.0.20.* would be used to bind the webserver in bootstrap.xml which would fail.

    There is the option of using --relax-jolokia which will disable strict checking which may help your use-case.