tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jorge Infante Osorio" <>
Subject RE: reverse proxy with SSO using CAS.
Date Sun, 17 Apr 2011 22:35:42 GMT
Hi Mark.

-----Mensaje original-----
De: Mark Thomas [] 
Enviado el: martes, 05 de abril de 2011 6:08
Para: Tomcat Users List
Asunto: Re: reverse proxy with SSO using CAS.

On 04/04/2011 22:28, Jorge Infante Osorio wrote:
> Hi Mark.
> -----Mensaje original-----
> De: Mark Thomas [] Enviado el: viernes, 25 de 
> marzo de 2011 12:57
> Para: Tomcat Users List
> Asunto: Re: reverse proxy with SSO using CAS.
> On 25/03/2011 16:35, Jorge Infante Osorio wrote:
>> I have an issue in reverse proxy with apache, tomcat and SSO using CAS. 
>> The problem is that my reverse proxy work just fine when I use an 
>> Apache Server as the reverse proxy with two back-end tomcats.
>> But when the I include SSO with CAS to authenticate the user with 
>> access to the tomcat servers the internal redirections are missing to 
>> the users that use the reverse proxy and I don´t know why.
>> Can anyone have any idea on this?
> Does the reverse proxy modify the URL in anyway? If so how?
> Mark
> This is my reverse proxy configuration:
> **************************************

I removed the commented out lines for clarity.

> LoadModule proxy_module      /usr/lib/apache2/modules/
> LoadModule proxy_http_module /usr/lib/apache2/modules/
> LoadModule headers_module    /usr/lib/apache2/modules/
> LoadFile                     /usr/lib/
> LoadModule proxy_html_module /usr/lib/apache2/modules/
> LoadModule xml2enc_module    /usr/lib/apache2/modules/
> ProxyRequests off
> # the CAS server
> ProxyPass /cas-web/
> #phpCAS client
> ProxyPass /cascliente/
> #Liferay server
> ProxyPass /    
> ProxyPassReverse /cascliente/
> ProxyPassReverse /cas-web/
> ProxyPassReverse /    

I usually place the ProxyPassReverse line directly below the ProxyPass line
so I can check the two match.

> ProxyPassReverseCookiePath /cas-web/  

This is wrong. It should only contain paths. It should probably be:
ProxyPassReverseCookiePath /cas-web  /

> ProxyHTMLEnable On

I always use mod_substitute since that is distributed with httpd.

> ProxyHTMLURLMap    /cas-web
> ProxyHTMLURLMap           /
> ProxyHTMLURLMap      /cascliente

Those don't look right to me. I'd expect something like:
ProxyHTMLURLMap  http://<httpdhostname>
ProxyHTMLURLMap  http://<httpdhostname>
ProxyHTMLURLMap       http://<httpdhostname>

> The reverse proxy don´t change the URL.
> In this moment I have two problem:
> 1. Pass the cookie in the navigator from and application to another.  
> I used ProxyPassReverseCookiePath with not success.

You are looking in the right place. CAS uses both cookies and it also embeds
URLs in login pages and if running behind a reverse proxy these can need
tweaking. Since you aren't changing the URL paths the changes should be
minimal (the ports may need tweaking). Also check the CAS configuration for
URLs that need to be tweaked.

Work you way through the login process monitoring each request and response
with LiveHttpHeaders or Fiddler etc. Check the headers and request/response
bodies and fix one stage before you move on to the next.

> 2. Use the CAS server with https. I don´t know how configure the proxy 
> server to do that.

Get CAS working first and worry about this later.

Finally I have CAS working thank to your advices. 

Now I need to configure CAS into the reverse proxy with https, to provide
SSO,  and receive some errors, for example:
Serverproxy is my reverse proxy. is my CAS server

[Sun Apr 17 13:20:25 2011] [error] [client] SSL Proxy
requested for serverproxy:443 but not enabled [Hint: SSLProxyEngine]
[Sun Apr 17 13:20:25 2011] [error] proxy: HTTPS: failed to enable ssl
support for (

I can access with https in the reverse proxy to the others non-https server
in my configuration but CAS.


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message