You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jorge Infante Osorio <jo...@uci.cu> on 2011/04/04 23:28:27 UTC
RE: reverse proxy with SSO using CAS.
Hi Mark.
-----Mensaje original-----
De: Mark Thomas [mailto:markt@apache.org]
Enviado el: viernes, 25 de marzo de 2011 12:57
Para: Tomcat Users List
Asunto: Re: reverse proxy with SSO using CAS.
On 25/03/2011 16:35, Jorge Infante Osorio wrote:
> I have an issue in reverse proxy with apache, tomcat and SSO using CAS.
>
> The problem is that my reverse proxy work just fine when I use an
> Apache Server as the reverse proxy with two back-end tomcats.
>
> But when the I include SSO with CAS to authenticate the user with
> access to the tomcat servers the internal redirections are missing to
> the users that use the reverse proxy and I don´t know why.
>
> Can anyone have any idea on this?
Does the reverse proxy modify the URL in anyway? If so how?
Mark
This is my reverse proxy configuration:
**************************************
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so
LoadModule xml2enc_module /usr/lib/apache2/modules/mod_xml2enc.so
ProxyRequests off
# the CAS server
ProxyPass /cas-web/ http://casaf.uci.cu:8079/cas-web/
#ProxyPass /cas-web/ https://casaf.uci.cu:8443/cas-web/
#phpCAS client
ProxyPass /cascliente/ http://casaf.uci.cu:80/cascliente/
#Liferay server
ProxyPass / http://casaf.uci.cu:8080/
ProxyPassReverse /cascliente/ http://casaf.uci.cu:80/cascliente/
ProxyPassReverse /cas-web/ http://casaf.uci.cu:8079/cas-web/
#ProxyPassReverse /cas-web/ https://casaf.uci.cu:8443/cas-web/
ProxyPassReverse / http://casaf.uci.cu:8080/
ProxyPassReverseCookiePath /cas-web/ http://casaf.uci.cu:8079/cas-web/
ProxyHTMLEnable On
ProxyHTMLURLMap http://casaf.uci.cu:8079/cas-web /cas-web
#ProxyHTMLURLMap https://casaf.uci.cu:8443/cas-web /cas-web
ProxyHTMLURLMap http://casaf.uci.cu:8080/ /
ProxyHTMLURLMap http://casaf.uci.cu:80/cascliente /cascliente
**************************************
The reverse proxy don´t change the URL.
In this moment I have two problem:
1. Pass the cookie in the navigator from and application to another. I used
ProxyPassReverseCookiePath with not success.
2. Use the CAS server with https. I don´t know how configure the proxy
server to do that.
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: reverse proxy with SSO using CAS.
Posted by Jorge Infante Osorio <jo...@uci.cu>.
Hi Mark.
-----Mensaje original-----
De: Mark Thomas [mailto:markt@apache.org]
Enviado el: martes, 05 de abril de 2011 6:08
Para: Tomcat Users List
Asunto: Re: reverse proxy with SSO using CAS.
On 04/04/2011 22:28, Jorge Infante Osorio wrote:
> Hi Mark.
>
> -----Mensaje original-----
> De: Mark Thomas [mailto:markt@apache.org] Enviado el: viernes, 25 de
> marzo de 2011 12:57
> Para: Tomcat Users List
> Asunto: Re: reverse proxy with SSO using CAS.
>
> On 25/03/2011 16:35, Jorge Infante Osorio wrote:
>> I have an issue in reverse proxy with apache, tomcat and SSO using CAS.
>>
>> The problem is that my reverse proxy work just fine when I use an
>> Apache Server as the reverse proxy with two back-end tomcats.
>>
>> But when the I include SSO with CAS to authenticate the user with
>> access to the tomcat servers the internal redirections are missing to
>> the users that use the reverse proxy and I don´t know why.
>>
>> Can anyone have any idea on this?
>
> Does the reverse proxy modify the URL in anyway? If so how?
>
> Mark
>
>
> This is my reverse proxy configuration:
> **************************************
I removed the commented out lines for clarity.
> LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
> LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
> LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
>
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so
> LoadModule xml2enc_module /usr/lib/apache2/modules/mod_xml2enc.so
>
> ProxyRequests off
>
> # the CAS server
> ProxyPass /cas-web/ http://casaf.uci.cu:8079/cas-web/
>
> #phpCAS client
> ProxyPass /cascliente/ http://casaf.uci.cu:80/cascliente/
> #Liferay server
> ProxyPass / http://casaf.uci.cu:8080/
>
> ProxyPassReverse /cascliente/ http://casaf.uci.cu:80/cascliente/
> ProxyPassReverse /cas-web/ http://casaf.uci.cu:8079/cas-web/
> ProxyPassReverse / http://casaf.uci.cu:8080/
I usually place the ProxyPassReverse line directly below the ProxyPass line
so I can check the two match.
> ProxyPassReverseCookiePath /cas-web/
> http://casaf.uci.cu:8079/cas-web/
This is wrong. It should only contain paths. It should probably be:
ProxyPassReverseCookiePath /cas-web /
> ProxyHTMLEnable On
I always use mod_substitute since that is distributed with httpd.
> ProxyHTMLURLMap http://casaf.uci.cu:8079/cas-web /cas-web
> ProxyHTMLURLMap http://casaf.uci.cu:8080/ /
> ProxyHTMLURLMap http://casaf.uci.cu:80/cascliente /cascliente
Those don't look right to me. I'd expect something like:
ProxyHTMLURLMap http://casaf.uci.cu:8079 http://<httpdhostname>
ProxyHTMLURLMap http://casaf.uci.cu:8080 http://<httpdhostname>
ProxyHTMLURLMap http://casaf.uci.cu http://<httpdhostname>
> The reverse proxy don´t change the URL.
> In this moment I have two problem:
> 1. Pass the cookie in the navigator from and application to another.
> I used ProxyPassReverseCookiePath with not success.
You are looking in the right place. CAS uses both cookies and it also embeds
URLs in login pages and if running behind a reverse proxy these can need
tweaking. Since you aren't changing the URL paths the changes should be
minimal (the ports may need tweaking). Also check the CAS configuration for
URLs that need to be tweaked.
Work you way through the login process monitoring each request and response
with LiveHttpHeaders or Fiddler etc. Check the headers and request/response
bodies and fix one stage before you move on to the next.
> 2. Use the CAS server with https. I don´t know how configure the proxy
> server to do that.
Get CAS working first and worry about this later.
Finally I have CAS working thank to your advices.
Now I need to configure CAS into the reverse proxy with https, to provide
SSO, and receive some errors, for example:
Serverproxy is my reverse proxy.
192.168.231.1:8443 is my CAS server
[Sun Apr 17 13:20:25 2011] [error] [client 192.168.231.1] SSL Proxy
requested for serverproxy:443 but not enabled [Hint: SSLProxyEngine]
[Sun Apr 17 13:20:25 2011] [error] proxy: HTTPS: failed to enable ssl
support for 192.168.231.1:8443 (casaf.uci.cu)
I can access with https in the reverse proxy to the others non-https server
in my configuration but CAS.
Jorge.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: reverse proxy with SSO using CAS.
Posted by Mark Thomas <ma...@apache.org>.
On 04/04/2011 22:28, Jorge Infante Osorio wrote:
> Hi Mark.
>
> -----Mensaje original-----
> De: Mark Thomas [mailto:markt@apache.org]
> Enviado el: viernes, 25 de marzo de 2011 12:57
> Para: Tomcat Users List
> Asunto: Re: reverse proxy with SSO using CAS.
>
> On 25/03/2011 16:35, Jorge Infante Osorio wrote:
>> I have an issue in reverse proxy with apache, tomcat and SSO using CAS.
>>
>> The problem is that my reverse proxy work just fine when I use an
>> Apache Server as the reverse proxy with two back-end tomcats.
>>
>> But when the I include SSO with CAS to authenticate the user with
>> access to the tomcat servers the internal redirections are missing to
>> the users that use the reverse proxy and I don´t know why.
>>
>> Can anyone have any idea on this?
>
> Does the reverse proxy modify the URL in anyway? If so how?
>
> Mark
>
>
> This is my reverse proxy configuration:
> **************************************
I removed the commented out lines for clarity.
> LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
> LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
> LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
>
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so
> LoadModule xml2enc_module /usr/lib/apache2/modules/mod_xml2enc.so
>
> ProxyRequests off
>
> # the CAS server
> ProxyPass /cas-web/ http://casaf.uci.cu:8079/cas-web/
>
> #phpCAS client
> ProxyPass /cascliente/ http://casaf.uci.cu:80/cascliente/
> #Liferay server
> ProxyPass / http://casaf.uci.cu:8080/
>
> ProxyPassReverse /cascliente/ http://casaf.uci.cu:80/cascliente/
> ProxyPassReverse /cas-web/ http://casaf.uci.cu:8079/cas-web/
> ProxyPassReverse / http://casaf.uci.cu:8080/
I usually place the ProxyPassReverse line directly below the ProxyPass
line so I can check the two match.
> ProxyPassReverseCookiePath /cas-web/ http://casaf.uci.cu:8079/cas-web/
This is wrong. It should only contain paths. It should probably be:
ProxyPassReverseCookiePath /cas-web /
> ProxyHTMLEnable On
I always use mod_substitute since that is distributed with httpd.
> ProxyHTMLURLMap http://casaf.uci.cu:8079/cas-web /cas-web
> ProxyHTMLURLMap http://casaf.uci.cu:8080/ /
> ProxyHTMLURLMap http://casaf.uci.cu:80/cascliente /cascliente
Those don't look right to me. I'd expect something like:
ProxyHTMLURLMap http://casaf.uci.cu:8079 http://<httpdhostname>
ProxyHTMLURLMap http://casaf.uci.cu:8080 http://<httpdhostname>
ProxyHTMLURLMap http://casaf.uci.cu http://<httpdhostname>
> The reverse proxy don´t change the URL.
> In this moment I have two problem:
> 1. Pass the cookie in the navigator from and application to another. I used
> ProxyPassReverseCookiePath with not success.
You are looking in the right place. CAS uses both cookies and it also
embeds URLs in login pages and if running behind a reverse proxy these
can need tweaking. Since you aren't changing the URL paths the changes
should be minimal (the ports may need tweaking). Also check the CAS
configuration for URLs that need to be tweaked.
Work you way through the login process monitoring each request and
response with LiveHttpHeaders or Fiddler etc. Check the headers and
request/response bodies and fix one stage before you move on to the next.
> 2. Use the CAS server with https. I don´t know how configure the proxy
> server to do that.
Get CAS working first and worry about this later.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org