This is currently how I have my CAS 5.2 install setup.  We use Apache as
the SSL handler because it is usually more up to date cipher wise than
Tomcat.  The setup isn't too difficult, you just need to enable mod_proxy,
mod_proxy_html, rewrite, and ssl in apache.  Then you want to create a
vhost like the one attached with your values plugged in.

After that you want to let tomcat know that you're using a proxy by setting
up your connector like so in server.xml:

<Connector port="8080" protocol="org.apache.coyote.http11.Http11AprProtocol"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               server="Apache"
               address="127.0.0.1"
               maxThreads="150"
               proxyPort="443"
               proxyName="<your server fqdn here>"
               scheme="https"
               secure="true"/>

you also want to setup a valve for your proxy setup in server.xml.  Put
your servers IP in the regex for internalProxies
<!-- Get client IP from proxy -->
        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127\.0\.0\.1|10\.0\.0\.23"
               remoteIpHeader="x-forwarded-for"
               protocolHeader="x-forwarded-proto"
               requestAttributesEnabled="true"  />


That should get you off to a good start.  You may also want to default all
your traffic to SSL by creating a rewrite rule in the 000-default.conf file
for apache.

--Mike K.

On Mon, Apr 16, 2018 at 9:26 PM, Lionel Samuel <lionel.samue...@gmail.com>
wrote:

> Hello All:
>
> Our University will be installing CAS, and are currently looking at
> installing CAS in Tomcat, and proxying connections via Apache HTTP (fall on
> same server).
>
> The rationale is that Tomcat is never directly exposed, so the proxying
> via Apache HTTP offers a measure of added cocooning.
>
> Has anyone done the same? We don't want to be trailblazers or
> over-engineer.
>
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/c6997220-cc9a-4f6f-95a9-
> b2c39e942b60%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6997220-cc9a-4f6f-95a9-b2c39e942b60%40apereo.org?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALfsmq5URTX_tMfaF%2BOf-aV6Se-X52Edoz3v2QXH18%2BgAu8w5g%40mail.gmail.com.

Attachment: default-ssl.vhost
Description: Binary data

Reply via email to