I run the embedded Tomcat at 8080 and terminate the certificate on an NGINX server, which connects to the Tomcat server.
Take a look at these CAS options: server.ssl.enabled=false server.port=8080 cas.server.tomcat.http-proxy.enabled=true cas.server.tomcat.http-proxy.protocol=HTTP/1.1 cas.server.tomcat.http-proxy.secure=true cas.server.tomcat.http-proxy.scheme=https server.servlet.context-path=/ So you can use something like: ProxyPass "/" "http://cas-server:8080/"; ProxyPassReverse "/" "http://cas-server:8080/"; in your Apache server. On Thursday, January 29, 2026 at 1:32:44 AM UTC-5 Derek Badge wrote: > I ran a similar setup for years, so this feels like a configuration issue. > In my previous case, I had the embedded server on 8443, with the proxy > handling 443 and communicating via SSL to that backend. I’m wondering if > there’s a specific limitation with the embedded server here? Since I didn’t > perform the initial setup on this system, I’m not sure on the original > intent/sin/decision. > On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote: > >> That setup is working fine for me, except my Tomcat isn’t embedded, it’s >> running on its own, but only on localhost serving http only. Apache is >> configured to terminate ssl and proxy requests to tomcat for the /cas >> endpoint. >> >> On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote: >> >> My coworker and I have tried pretty much everything we can think of to >> get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing >> all of the HTTPS stuff, because (1) it is our standard configuration and we >> don't hate our fellow sysadmins, and (2) we don't hate ourselves). >> >> >> I'm not going to say up-front what our current configuration is because >> (1) that's not the point of this question, and (2) it would poison the >> conversation. >> >> Again, this isn't what "what we've done wrong" this is about "how is it >> supposed to work". >> If the answer is "do the TLS in java" don't expect a friendly response, >> as that's not an answer. This is standard configuration which should work. >> If it doesn't, then that's a bug. This is all on one host, between daemons >> on the same host, and not on the open network. >> >> (signature block probably missing because I'm using the Google Groups >> interface) >> >> -- >> - Website: https://apereo.github.io/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/29ee548b-80d8-4714-8913-0e1a79398ac8n%40apereo.org.
