Hello Ray,

Oh~, thank you.

I'm not using certificates now.
I will try it.

Thank you again.

James

On Saturday, August 4, 2018 at 12:11:44 AM UTC+8, rbon wrote:
>
> James,
>
> The TGT is scoped to the CAS server and is only used by CAS. Are you using 
> certificates (https)? If they are self signed, they will have to be added 
> to all nginx configs.
> Back channel communication (like ticket validation) is done over https and 
> both sides need to know about the other's certificates.
> Multiple domain names are fine under CAS, it does not care where the 
> service is located, only that it is registered and that it can communicate.
> Proxying is done when the user logs into service A and A needs to get data 
> from service B.
>
> Ray
>
> On Thu, 2018-08-02 at 17:59 -0700, James Q wrote:
>
> Hi Ray, 
>
> Thank you for your patient reply.
>
> I think I know why.
> When App and CAS under the same proxy(same domain name), they have the 
> same TGT, and CAS can validate it.
> But when use three nginxs, they are under different domain names.
>
> So I think it's a cross domain sso.
> As you said: http://proxy_server/app was not registered as a service in 
> CAS.
>
> Multiple domain names should be proxy webflow diagrom, not usual webflow 
> diagrom.
>
> https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram
>
> I will try it out, thank you very much.
>
> Thanks.
> James.
>
> On Friday, August 3, 2018 at 12:38:23 AM UTC+8, rbon wrote: 
>
> James,
>
> I meant that http://proxy_server/app was not registered as a service in 
> CAS but the tomcat server was, http://localhost:8080/app.
>
> Your ports should not be exposed but hidden within nginx config.
>
> Ray
>
> On Thu, 2018-08-02 at 05:11 -0700, James Q wrote:
>
> Ray, 
>
> I use one nginx to proxy app and cas as you remind and it works.
>
> But this expose ports of app and cas server.
> Still don't know why 3 nginx not work out......
>
> What do you mean proxy_server/app is not part of SSO?
>
> Thanks.
> James.
>
> On Thursday, August 2, 2018 at 12:06:02 AM UTC+8, rbon wrote: 
>
> James,
>
> It looks like proxy_server/app is not part of SSO. What does your service 
> definition(s) look like?
>
> Unless you have a need to have each tomcat fronted by its own nginx, you 
> could simplify and have one nginx (instead of 3). 
> In proxy_server's nginx, replace:
> proxy_pass  http://cas_server/cas;
> with:
> proxy_pass  http://localhost:8080/app;
> etc.
>
> I have not used the set_header options but do not think that is causing 
> problems.
>
> Ray
>
> On Tue, 2018-07-31 at 19:03 -0700, James Q wrote:
>
> Hello Ray, 
>
> Yes, each nginx have a different configuration.
>
> app_server' nginx conf:
>
>     location /app {
>         proxy_pass  http://localhost:8080/app <http://app_server/app>;
>         proxy_set_header   Host             $host;
>         proxy_set_header   X-Real-IP        $remote_addr;
>         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>     }
>
> cas_server's nginx conf:
>
>     location /cas {
>         proxy_pass  http://localhost:8080/c <http://app_server/app>as;
>         proxy_set_header   Host             $host;
>         proxy_set_header   X-Real-IP        $remote_addr;
>         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>     }
>
> I think the web flow should be:
>
> 1. browse to login page http://localhost:8080/cas (http status 200)
> 2. input username and password
> 3. cas login success, and store TGC cookie on browser
> 4. redirect to http://localhost:8080/app (http status 302), the header is
>
>    1. Request URL: 
>    http://localhost:8080/app/
>    2. Request Method: 
>    GET
>    3. Status Code: 
>    302 
>    4. Remote Address: 
>    [::1]:8080
>    5. Referrer Policy: 
>    no-referrer-when-downgrade
>    
> 5. app is the cas client, it should use TGC to cas validate the ticket.
> 6. app redirect to 
> http://localhost:8080/cas/logn?service=http://localhost:8080/app (http 
> status 302)
> 7. cas make a ST to client, 
> http://localhost:8080/app/callback?ticket=ST-..... (http status 302)
> 8. cas validate ST successfully and app shows page. 
> http://localhost:8080/app (http status 200)
>
> the strange thing happened at step6.
> In my desktop, I install cas and app on the same tomcat. I use chrome to 
> trace.
> The step6 is 302(redirect and validate) and step8 is http status 200(show 
> the app page), it is right sequence.
>
> But after nginx proxy, the step6 is 200(show the login page again), the 
> sequence stoped, and didn't have step7 and step8.
> I watch the chrome network the step4 header is
>
>    1. Request URL: 
>    http://proxy_server/app/
>    2. Request Method: 
>    GET
>    3. Status Code: 
>    302 Found
>    4. Remote Address: X.X.X.X
>    :80
>    5. Referrer Policy: 
>    no-referrer-when-downgrade
>    
> The step4 difference is:
> locathost status code is "302", but proxy_server status code is "302 
> Found" then next step6 is wrong sequence.
> I don't know what is the difference between "302" and "302 Found" and 
> didn't search it out.
>
> So how to config nginx to fix this?
>
> Thanks.
>
> On Tuesday, July 31, 2018 at 11:45:59 PM UTC+8, rbon wrote: 
>
> James,
>
> If you have three nginx, then each one should have a different 
> configuration. It should only be concerned with one application.
> The redirecting to login will be handled by cas client, one on proxy 
> server and one on app server.
>
> Ray
>
> On Mon, 2018-07-30 at 22:42 -0700, James Q wrote:
>
> Hello, 
>
> I configure an app to the cas successfully.
> I configure the cas.view.defaultRedirectUrl=http://localhost:8080/app
>
> 1. login url: http://localhost:8080/cas/login
> 2. input username and password
> 3. redirect to http://localhost:8080/app
> It works good on the same tomcat.
>
> Then I separate to 3 servers: proxy_server, app_server and cas_server. 
> Each server was installed the nginx.
>
> 1. proxy_server's nginx proxy app_server and cas_server's nginx
> 2. app_server's nginx proxy app
> 3. cas_server's nginx proxy cas
>
> Each nginx conf is all the same, like this:
> proxy_server' nginx conf
>
>     location /cas {
>         proxy_pass  http://cas_server/cas;
>         proxy_set_header   Host             $host;
>         proxy_set_header   X-Real-IP        $remote_addr;
>         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>     }
>
>     location /app {
>         proxy_pass  http://app_server/app;
>         proxy_set_header   Host             $host;
>         proxy_set_header   X-Real-IP        $remote_addr;
>         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>     }
>
> Setp:
> 1. login url: http://proxy_server/cas
> 2. input username and password
> 3. redirect http://proxy_server/cas?service=http://proxy_server/app
> This was wrong. it still need input username and password.
>
> 4. but input username and password again, it redirect 
> http://proxy_server/app
>
> Question:
> 1. After login successfully, it should redirect into 
> http://proxy_server/app
> 2. But it redirect to the login page again. 
>
> How to config nginx?
> I search 
> https://groups.google.com/forum/#!topic/jasig-cas-user/44vNM24X110
> It doesn't work.
>
> And I search it should add ngx_headers_more module to nginx for location?
> Any ideas?
>
> Thanks.
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca
>
>
> -- 
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rb...@uvic.ca <javascript:>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7f0bc547-ab47-4568-bbd1-8271ae770889%40apereo.org.

Reply via email to