Here is my configuration for an Apache HTTPD reverse proxy in front of an
embedded tomcat 10 CAS 7.3.x deployment:
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
<IfModule env_module>
SetEnvIf Front-End-Https "^on$" HTTPS=on
</IfModule>
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ProxyPass /cas/ http://localhost:8080/cas/
ProxyPassReverse /cas/ http://localhost:8080/cas/
This has been working for years with no issues.
Phil
On Thursday, January 29, 2026 at 12:32:44 AM UTC-6 Derek Badge wrote:
> I ran a similar setup for years, so this feels like a configuration issue.
> In my previous case, I had the embedded server on 8443, with the proxy
> handling 443 and communicating via SSL to that backend. I’m wondering if
> there’s a specific limitation with the embedded server here? Since I didn’t
> perform the initial setup on this system, I’m not sure on the original
> intent/sin/decision.
> On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote:
>
>> That setup is working fine for me, except my Tomcat isn’t embedded, it’s
>> running on its own, but only on localhost serving http only. Apache is
>> configured to terminate ssl and proxy requests to tomcat for the /cas
>> endpoint.
>>
>> On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote:
>>
>> My coworker and I have tried pretty much everything we can think of to
>> get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing
>> all of the HTTPS stuff, because (1) it is our standard configuration and we
>> don't hate our fellow sysadmins, and (2) we don't hate ourselves).
>>
>>
>> I'm not going to say up-front what our current configuration is because
>> (1) that's not the point of this question, and (2) it would poison the
>> conversation.
>>
>> Again, this isn't what "what we've done wrong" this is about "how is it
>> supposed to work".
>> If the answer is "do the TLS in java" don't expect a friendly response,
>> as that's not an answer. This is standard configuration which should work.
>> If it doesn't, then that's a bug. This is all on one host, between daemons
>> on the same host, and not on the open network.
>>
>> (signature block probably missing because I'm using the Google Groups
>> interface)
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/75da0916-ff8f-4884-a386-c1d280134a8fn%40apereo.org.
