Thanks Derek & AJ, My experience has also been that using the external servlet container is more flexible and the configuration options tend to more often do what the plain language of the documentation indicates that they should. We'll drop the attempt to use the embedded Tomcat container and move forward using a system daemon instead.
On Thursday, January 29, 2026 at 1:32:44 AM UTC-5 Derek Badge wrote: I ran a similar setup for years, so this feels like a configuration issue. In my previous case, I had the embedded server on 8443, with the proxy handling 443 and communicating via SSL to that backend. I’m wondering if there’s a specific limitation with the embedded server here? Since I didn’t perform the initial setup on this system, I’m not sure on the original intent/sin/decision. On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote: That setup is working fine for me, except my Tomcat isn’t embedded, it’s running on its own, but only on localhost serving http only. Apache is configured to terminate ssl and proxy requests to tomcat for the /cas endpoint. On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote: My coworker and I have tried pretty much everything we can think of to get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing all of the HTTPS stuff, because (1) it is our standard configuration and we don't hate our fellow sysadmins, and (2) we don't hate ourselves). I'm not going to say up-front what our current configuration is because (1) that's not the point of this question, and (2) it would poison the conversation. Again, this isn't what "what we've done wrong" this is about "how is it supposed to work". If the answer is "do the TLS in java" don't expect a friendly response, as that's not an answer. This is standard configuration which should work. If it doesn't, then that's a bug. This is all on one host, between daemons on the same host, and not on the open network. (signature block probably missing because I'm using the Google Groups interface) -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3894e5d4-7a59-4d7e-b9f5-6859551c7182n%40apereo.org.
