James, The TGT is scoped to the CAS server and is only used by CAS. Are you using certificates (https)? If they are self signed, they will have to be added to all nginx configs. Back channel communication (like ticket validation) is done over https and both sides need to know about the other's certificates. Multiple domain names are fine under CAS, it does not care where the service is located, only that it is registered and that it can communicate. Proxying is done when the user logs into service A and A needs to get data from service B.
Ray On Thu, 2018-08-02 at 17:59 -0700, James Q wrote: Hi Ray, Thank you for your patient reply. I think I know why. When App and CAS under the same proxy(same domain name), they have the same TGT, and CAS can validate it. But when use three nginxs, they are under different domain names. So I think it's a cross domain sso. As you said: http://proxy_server/app was not registered as a service in CAS. Multiple domain names should be proxy webflow diagrom, not usual webflow diagrom. https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram I will try it out, thank you very much. Thanks. James. On Friday, August 3, 2018 at 12:38:23 AM UTC+8, rbon wrote: James, I meant that http://proxy_server/app was not registered as a service in CAS but the tomcat server was, http://localhost:8080/app. Your ports should not be exposed but hidden within nginx config. Ray On Thu, 2018-08-02 at 05:11 -0700, James Q wrote: Ray, I use one nginx to proxy app and cas as you remind and it works. But this expose ports of app and cas server. Still don't know why 3 nginx not work out...... What do you mean proxy_server/app is not part of SSO? Thanks. James. On Thursday, August 2, 2018 at 12:06:02 AM UTC+8, rbon wrote: James, It looks like proxy_server/app is not part of SSO. What does your service definition(s) look like? Unless you have a need to have each tomcat fronted by its own nginx, you could simplify and have one nginx (instead of 3). In proxy_server's nginx, replace: proxy_pass http://cas_server/cas; with: proxy_pass http://localhost:8080/app; etc. I have not used the set_header options but do not think that is causing problems. Ray On Tue, 2018-07-31 at 19:03 -0700, James Q wrote: Hello Ray, Yes, each nginx have a different configuration. app_server' nginx conf: location /app { proxy_pass http://localhost:8080/app<http://app_server/app>; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } cas_server's nginx conf: location /cas { proxy_pass http://localhost:8080/c<http://app_server/app>as; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } I think the web flow should be: 1. browse to login page http://localhost:8080/cas (http status 200) 2. input username and password 3. cas login success, and store TGC cookie on browser 4. redirect to http://localhost:8080/app (http status 302), the header is 1. Request URL: http://localhost:8080/app/ 2. Request Method: GET 3. Status Code: 302 4. Remote Address: [::1]:8080 5. Referrer Policy: no-referrer-when-downgrade 5. app is the cas client, it should use TGC to cas validate the ticket. 6. app redirect to http://localhost:8080/cas/logn?service=http://localhost:8080/app (http status 302) 7. cas make a ST to client, http://localhost:8080/app/callback?ticket=ST-..... (http status 302) 8. cas validate ST successfully and app shows page. http://localhost:8080/app (http status 200) the strange thing happened at step6. In my desktop, I install cas and app on the same tomcat. I use chrome to trace. The step6 is 302(redirect and validate) and step8 is http status 200(show the app page), it is right sequence. But after nginx proxy, the step6 is 200(show the login page again), the sequence stoped, and didn't have step7 and step8. I watch the chrome network the step4 header is 1. Request URL: http://proxy_server/app/ 2. Request Method: GET 3. Status Code: 302 Found 4. Remote Address: X.X.X.X :80 5. Referrer Policy: no-referrer-when-downgrade The step4 difference is: locathost status code is "302", but proxy_server status code is "302 Found" then next step6 is wrong sequence. I don't know what is the difference between "302" and "302 Found" and didn't search it out. So how to config nginx to fix this? Thanks. On Tuesday, July 31, 2018 at 11:45:59 PM UTC+8, rbon wrote: James, If you have three nginx, then each one should have a different configuration. It should only be concerned with one application. The redirecting to login will be handled by cas client, one on proxy server and one on app server. Ray On Mon, 2018-07-30 at 22:42 -0700, James Q wrote: Hello, I configure an app to the cas successfully. I configure the cas.view.defaultRedirectUrl=http://localhost:8080/app 1. login url: http://localhost:8080/cas/login 2. input username and password 3. redirect to http://localhost:8080/app It works good on the same tomcat. Then I separate to 3 servers: proxy_server, app_server and cas_server. Each server was installed the nginx. 1. proxy_server's nginx proxy app_server and cas_server's nginx 2. app_server's nginx proxy app 3. cas_server's nginx proxy cas Each nginx conf is all the same, like this: proxy_server' nginx conf location /cas { proxy_pass http://cas_server/cas; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /app { proxy_pass http://app_server/app; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } Setp: 1. login url: http://proxy_server/cas 2. input username and password 3. redirect http://proxy_server/cas?service=http://proxy_server/app This was wrong. it still need input username and password. 4. but input username and password again, it redirect http://proxy_server/app Question: 1. After login successfully, it should redirect into http://proxy_server/app 2. But it redirect to the login page again. How to config nginx? I search https://groups.google.com/forum/#!topic/jasig-cas-user/44vNM24X110 It doesn't work. And I search it should add ngx_headers_more module to nginx for location? Any ideas? Thanks. -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca<javascript:> -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533312696.2860.75.camel%40uvic.ca.