I encountered this issue after setting SERVER_SSL_ENABLED to "false" and
SERVER_PORT to "8080".
This happened while using F5 and Kubernetes Ingress with Apereo CAS version
6.6.7.
I was able to solve the problem by adding the following line to the
application.properties file:
server.forward-headers-strategy=framework
Hope this helps someone!
Düşünme sürecini göster
9 Kasım 2023 Perşembe tarihinde saat 08:51:14 UTC+3 itibarıyla Meysam
Shirazi şunları yazdı:
> I did not test it by myself because I'm not using embedded tomcat, anyway
> the main config was server.tomcat.redirect-context-root = false and the
> /hweproxy
> was a sample config so you should replace your context path.
> I think including "/themes/**" pattern is the best way in this situation.
>
> On Wednesday, November 8, 2023 at 11:59:57 PM UTC+3:30 atilling wrote:
>
>> I know the F5 is sending x-forwarded-proto, x-forwarded-port,
>> x-forwarded-by, and x-forwarded-for
>>
>> I tried the setting you suggested from that case |
>> server.servlet.context-path = /hweproxy | breaks the application
>> altogether, the other settings seem to have no effect.
>>
>>
>> Looking at CasWebSecurityConfigurerAdapter in GIT it looks like cas 7 has
>> | patterns.add("/themes/**"); | but cas 6.6.x does not. I thinking the only
>> fix is to add my
>> own org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter to my
>> overlay that includes the "/themes/**" pattern?
>>
>>
>>
>>
>> On Tuesday, November 7, 2023 at 10:25:45 PM UTC-5 Meysam Shirazi wrote:
>>
>>> For embedded tomcat in Spring boot it seams that tomcat ignor
>>> x-forward-* setting for the redirect so you have to disable context
>>> path redirects so based on this issue
>>> <https://github.com/spring-projects/spring-boot/issues/22908> (I don't
>>> test it by myself)you can use these setting:
>>> server.port = 8081
>>> server.servlet.context-path = /hweproxy
>>> server.forward-headers-strategy = native
>>> server.tomcat.redirect-context-root = false
>>>
>>> You can disable root redirect by
>>> mapperContextRootRedirectEnabled="false" on the context too
>>> <https://stackoverflow.com/questions/56430476/spring-boot-application-with-embedded-tomcat-behind-reverse-proxy-not-redirectin>
>>> .
>>> I used Nginx as a revers proxy without any problem but I can set
>>> X-Forward-* headers in proxy config, but about F5 I don't know what's
>>> happen there because I don't have any access on it! :))
>>>
>>>
>>> On Tuesday, November 7, 2023 at 9:16:12 PM UTC+3:30 atilling wrote:
>>>
>>>> We're using the embedded tomcat with the settings:
>>>>
>>>> server.port=8080
>>>> server.ssl.enabled=false
>>>> server.tomcat.remoteip.port-header=x-forwarded-port
>>>> server.tomcat.remoteip.protocol-header=x-forwarded-proto
>>>> server.tomcat.remoteip.remote-ip-header=x-forwarded-for
>>>>
>>>> Can I add those tomcat settings to the embedded tomcat?
>>>>
>>>> Our CSS is in /etc/cas/static/themes/ccmain
>>>>
>>>> and we have the setting for the path in cas.properties
>>>>
>>>> cas.theme.paramName=cc_main
>>>> cas.theme.defaultThemeName=cc_main
>>>> #externalize templates
>>>> spring.thymeleaf.prefix=file:/etc/cas/templates/
>>>> spring.web.resources.static-locations=classpath:/META-INF/resources/, \
>>>> classpath:/resources/,classpath:/static/, \
>>>> classpath:/public/,file:/etc/cas/templates/,file:/etc/cas/static/
>>>>
>>>> I do not understand why it works on 8080 but not on the F5 pulling 8080
>>>> to 443, what is triggering redirects when the traffic comes through the F5?
>>>>
>>>>
>>>> On Tuesday, November 7, 2023 at 7:18:04 AM UTC-5 Meysam Shirazi wrote:
>>>>
>>>>> As Ray said it's because you use custom theme and /themes/** is not
>>>>> define in list of excluded endpoints from web security, so Spring
>>>>> Security
>>>>> redirect the request to secure channel it means redirect to port
>>>>> 8443(default port) that does not exist in your situation!
>>>>> I think there are multiple way to deal with:
>>>>>
>>>>> - adding /themes/** to URL map in
>>>>> CasWebSecurityConfigurerAdapter to exclude/ignore from web security
>>>>> - copy static resource from /themes/custom to static folder
>>>>> - and the best way if you deploy CAS on tomcat is you tell tomcat
>>>>> about the proxy:
>>>>>
>>>>> [image: tomcat_proxy.PNG]
>>>>>
>>>>> On Monday, November 6, 2023 at 9:22:15 PM UTC+3:30 atilling wrote:
>>>>>
>>>>>> VIP only connects external 443 to 8080 at the cas servers
>>>>>> We have the same config with our production cas 5.1.x servers and CSS
>>>>>> is displaying fine.
>>>>>>
>>>>>> On Friday, November 3, 2023 at 6:19:18 PM UTC-4 Ray Bon wrote:
>>>>>>
>>>>>>> I see /css/** in my startup but not /themes/**. That could be
>>>>>>> because we have no custom theme.
>>>>>>> Could it be a problem with a rewrite rule in VIP?
>>>>>>>
>>>>>>> Ray
>>>>>>>
>>>>>>> On Fri, 2023-11-03 at 07:24 -0700, atilling wrote:
>>>>>>>
>>>>>>> Notice: This message was sent from outside the University of
>>>>>>> Victoria email system. Please be cautious with links and sensitive
>>>>>>> information.
>>>>>>>
>>>>>>> There is nothing on the VIP that specifies any security for any URI.
>>>>>>>
>>>>>>>
>>>>>>> The developer console shows that cas.css is redirecting to cas.css,
>>>>>>>
>>>>>>> [image: Screenshot 2023-11-03 at 10.22.53 AM.png]
>>>>>>>
>>>>>>> During startup I'm seeing:
>>>>>>>
>>>>>>> INFO [org.springframework.security.web.DefaultSecurityFilterChain] -
>>>>>>> <Will not secure Ant [pattern='/css/**']>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thursday, November 2, 2023 at 3:22:24 PM UTC-4 Ray Bon wrote:
>>>>>>>
>>>>>>> Is it possible that vip...themes is protected/secured and needs
>>>>>>> login to access?
>>>>>>> Check your developer console to see where the redirects are going.
>>>>>>> Check cas logs to see which URIs are unprotected (shows on startup).
>>>>>>>
>>>>>>> Ray
>>>>>>>
>>>>>>> On Thu, 2023-11-02 at 09:24 -0700, atilling wrote:
>>>>>>>
>>>>>>> Notice: This message was sent from outside the University of
>>>>>>> Victoria email system. Please be cautious with links and sensitive
>>>>>>> information.
>>>>>>>
>>>>>>>
>>>>>>> Offloading SSL to F5 BigIP
>>>>>>> In cas.properties we have:
>>>>>>> server.port=8080
>>>>>>> server.ssl.enabled=false
>>>>>>>
>>>>>>> if we go to https://node.domain.tld:8080/cas/login the page
>>>>>>> displays fine and the CSS is loaded
>>>>>>>
>>>>>>> if we go to https://vip.domain.tld/cas/login the page displays but
>>>>>>> the CSS is not loaded
>>>>>>>
>>>>>>> https://node.domain.tld:8080/cas/login/themes/cc_main/css/cas.css
>>>>>>> loads fine
>>>>>>>
>>>>>>> https://vip.domain.tld/cas/login/themes/cc_main/css/cas.css throws
>>>>>>> the error ERR_TOO_MANY_REDIRECTS
>>>>>>>
>>>>>>> Tried adding
>>>>>>> server.tomcat.remoteip.port-header=x-forwarded-port
>>>>>>> server.tomcat.remoteip.protocol-header=x-forwarded-proto
>>>>>>> server.tomcat.remoteip.remote-ip-header=x-forwarded-for
>>>>>>>
>>>>>>> And there was no change.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe0dd256-8aeb-4ee5-9521-1f3bff69ca74n%40apereo.org.
