Hello Ray, I configure the ssl on nginx. It works for multiple domains.
Thank you for your help of these days. You're awesome. James On Saturday, August 4, 2018 at 9:21:58 AM UTC+8, James Q wrote: > > Hello Ray, > > Oh~, thank you. > > I'm not using certificates now. > I will try it. > > Thank you again. > > James > > On Saturday, August 4, 2018 at 12:11:44 AM UTC+8, rbon wrote: >> >> James, >> >> The TGT is scoped to the CAS server and is only used by CAS. Are you >> using certificates (https)? If they are self signed, they will have to be >> added to all nginx configs. >> Back channel communication (like ticket validation) is done over https >> and both sides need to know about the other's certificates. >> Multiple domain names are fine under CAS, it does not care where the >> service is located, only that it is registered and that it can communicate. >> Proxying is done when the user logs into service A and A needs to get >> data from service B. >> >> Ray >> >> On Thu, 2018-08-02 at 17:59 -0700, James Q wrote: >> >> Hi Ray, >> >> Thank you for your patient reply. >> >> I think I know why. >> When App and CAS under the same proxy(same domain name), they have the >> same TGT, and CAS can validate it. >> But when use three nginxs, they are under different domain names. >> >> So I think it's a cross domain sso. >> As you said: http://proxy_server/app was not registered as a service in >> CAS. >> >> Multiple domain names should be proxy webflow diagrom, not usual webflow >> diagrom. >> >> https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram >> >> I will try it out, thank you very much. >> >> Thanks. >> James. >> >> On Friday, August 3, 2018 at 12:38:23 AM UTC+8, rbon wrote: >> >> James, >> >> I meant that http://proxy_server/app was not registered as a service in >> CAS but the tomcat server was, http://localhost:8080/app. >> >> Your ports should not be exposed but hidden within nginx config. >> >> Ray >> >> On Thu, 2018-08-02 at 05:11 -0700, James Q wrote: >> >> Ray, >> >> I use one nginx to proxy app and cas as you remind and it works. >> >> But this expose ports of app and cas server. >> Still don't know why 3 nginx not work out...... >> >> What do you mean proxy_server/app is not part of SSO? >> >> Thanks. >> James. >> >> On Thursday, August 2, 2018 at 12:06:02 AM UTC+8, rbon wrote: >> >> James, >> >> It looks like proxy_server/app is not part of SSO. What does your service >> definition(s) look like? >> >> Unless you have a need to have each tomcat fronted by its own nginx, you >> could simplify and have one nginx (instead of 3). >> In proxy_server's nginx, replace: >> proxy_pass http://cas_server/cas; >> with: >> proxy_pass http://localhost:8080/app; >> etc. >> >> I have not used the set_header options but do not think that is causing >> problems. >> >> Ray >> >> On Tue, 2018-07-31 at 19:03 -0700, James Q wrote: >> >> Hello Ray, >> >> Yes, each nginx have a different configuration. >> >> app_server' nginx conf: >> >> location /app { >> proxy_pass http://localhost:8080/app <http://app_server/app>; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> } >> >> cas_server's nginx conf: >> >> location /cas { >> proxy_pass http://localhost:8080/c <http://app_server/app>as; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> } >> >> I think the web flow should be: >> >> 1. browse to login page http://localhost:8080/cas (http status 200) >> 2. input username and password >> 3. cas login success, and store TGC cookie on browser >> 4. redirect to http://localhost:8080/app (http status 302), the header is >> >> 1. Request URL: >> http://localhost:8080/app/ >> 2. Request Method: >> GET >> 3. Status Code: >> 302 >> 4. Remote Address: >> [::1]:8080 >> 5. Referrer Policy: >> no-referrer-when-downgrade >> >> 5. app is the cas client, it should use TGC to cas validate the ticket. >> 6. app redirect to >> http://localhost:8080/cas/logn?service=http://localhost:8080/app (http >> status 302) >> 7. cas make a ST to client, >> http://localhost:8080/app/callback?ticket=ST-..... (http status 302) >> 8. cas validate ST successfully and app shows page. >> http://localhost:8080/app (http status 200) >> >> the strange thing happened at step6. >> In my desktop, I install cas and app on the same tomcat. I use chrome to >> trace. >> The step6 is 302(redirect and validate) and step8 is http status 200(show >> the app page), it is right sequence. >> >> But after nginx proxy, the step6 is 200(show the login page again), the >> sequence stoped, and didn't have step7 and step8. >> I watch the chrome network the step4 header is >> >> 1. Request URL: >> http://proxy_server/app/ >> 2. Request Method: >> GET >> 3. Status Code: >> 302 Found >> 4. Remote Address: X.X.X.X >> :80 >> 5. Referrer Policy: >> no-referrer-when-downgrade >> >> The step4 difference is: >> locathost status code is "302", but proxy_server status code is "302 >> Found" then next step6 is wrong sequence. >> I don't know what is the difference between "302" and "302 Found" and >> didn't search it out. >> >> So how to config nginx to fix this? >> >> Thanks. >> >> On Tuesday, July 31, 2018 at 11:45:59 PM UTC+8, rbon wrote: >> >> James, >> >> If you have three nginx, then each one should have a different >> configuration. It should only be concerned with one application. >> The redirecting to login will be handled by cas client, one on proxy >> server and one on app server. >> >> Ray >> >> On Mon, 2018-07-30 at 22:42 -0700, James Q wrote: >> >> Hello, >> >> I configure an app to the cas successfully. >> I configure the cas.view.defaultRedirectUrl=http://localhost:8080/app >> >> 1. login url: http://localhost:8080/cas/login >> 2. input username and password >> 3. redirect to http://localhost:8080/app >> It works good on the same tomcat. >> >> Then I separate to 3 servers: proxy_server, app_server and cas_server. >> Each server was installed the nginx. >> >> 1. proxy_server's nginx proxy app_server and cas_server's nginx >> 2. app_server's nginx proxy app >> 3. cas_server's nginx proxy cas >> >> Each nginx conf is all the same, like this: >> proxy_server' nginx conf >> >> location /cas { >> proxy_pass http://cas_server/cas; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> } >> >> location /app { >> proxy_pass http://app_server/app; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; >> } >> >> Setp: >> 1. login url: http://proxy_server/cas >> 2. input username and password >> 3. redirect http://proxy_server/cas?service=http://proxy_server/app >> This was wrong. it still need input username and password. >> >> 4. but input username and password again, it redirect >> http://proxy_server/app >> >> Question: >> 1. After login successfully, it should redirect into >> http://proxy_server/app >> 2. But it redirect to the login page again. >> >> How to config nginx? >> I search >> https://groups.google.com/forum/#!topic/jasig-cas-user/44vNM24X110 >> It doesn't work. >> >> And I search it should add ngx_headers_more module to nginx for location? >> Any ideas? >> >> Thanks. >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/646967c7-c127-4d38-a07c-f730e0e383a6%40apereo.org.
