Re: [cas-dev] possible issue with CAS-991 when offloading SSL to an LTM

Mon, 08 Aug 2011 22:12:11 -0700 

Bill,

you can either set:

SimulateHttps On

which is kind of dirty imho ;) or you can do:

<IfModule env_module>
  # Fake SSL if Loadbalancer does SSL-Offload
  SetEnvIf Front-End-Https "^on$" HTTPS=on
</IfModule>
which interprets the Header set by the balancer. Or if you are using mod_jk in any way you could probably use: 

JkHTTPSIndicator Front-End-Https
Another more advanced technique would be to would be to write some rules for you loadbalancer that set all the different Headers just like mod_ajp mod_jk do in a "normal" apache and tomcat setup. Then you can get things like a client cert info transmitted to the backend server. 

Regards,

Joachim




Am 09.08.2011 03:52, schrieb Scott Battaglia:

If you're offloading SSL to the load balancer, and using Apache, you
need to pass the appropriate parameter to Tomcat.

You should have had to do that regardless, or I believe the cookie would
not have been set correctly.

Apologies, but I can't remember the flag off the top of my head.
  Perhaps a more experienced Apache admin will remember it.


On Mon, Aug 8, 2011 at 9:45 PM, William G. Thompson, Jr.
<[email protected] <mailto:[email protected]>> wrote:

    Folks,

    I've been working on a 3.4.8 Maven Overlay build that I'm deploying to
    RHEL/Tomcat/Apache running in the clear on 80, but on a private
    network behind an F5 LTM doing SSL and load-balancing.  I did the
    3.4.9 upgrade today and now I'm getting the CAS-991 messaging that I'm
    "accessing CAS over a non-secure connection...SSO won't work, etc".

    However, I am accessing the site over https (via the LTM) and SSO is
    working just fine.  Is the messaging wrong or should SSO really not be
    working?

    Bill

    --
    You are currently subscribed to [email protected]
    <mailto:[email protected]> as: [email protected]
    <mailto:[email protected]>
    To unsubscribe, change settings or access archives, see
    http://www.ja-sig.org/wiki/display/JSG/cas-dev


--
You are currently subscribed [email protected]  
<mailto:[email protected]>  as: [email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev




--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to