Hi Drew,
We run embedded Tomcat just fine on CAS 7.3. I know you specifically asked
about httpd, we use Caddy, but similar concepts apply and if it's something
in your Tomcat config perhaps this will help. We terminal HTTPS in Caddy
and Tomcat listens on 8080, same host. Good luck!
*cas.properties*
# ---------------------------------------
# Embedded Tomcat configuration
# ---------------------------------------
server.tomcat.basedir=tomcat-basedir
server.tomcat.max-http-form-post-size=2MB
server.tomcat.threads.max=300
# Proxied
server.port=8080
server.ssl.enabled=false
server.max-http-request-header-size=2MB
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.secure=true
cas.server.tomcat.http-proxy.scheme=https
cas.server.tomcat.http-proxy.protocol=HTTP/1.1
# Logging
server.tomcat.accesslog.enabled=true
# uncomment below when trouble-shooting
#server.tomcat.accesslog.buffered=false
server.tomcat.accesslog.directory=/etc/cas/log
server.tomcat.accesslog.prefix=access_cas
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.max-days=7
server.tomcat.accesslog.rename-on-rotate=true
server.tomcat.accesslog.pattern=%t %a %{X-FORWARDED-FOR}i \"%r\" %s (%D ms)
%{User-Agent}i
*Caddyfile*
{
servers {
max_header_size 2MB
}
log {
output stdout
}
}
server.domain.berkeley.edu alias.domain.berkeley.edu {
log {
output stdout
}
tls {
ca https://acme.sectigo.com/v2/InCommonRSAOV
eab "blah" "blahblahblah"
}
header {
# enable HSTS
Strict-Transport-Security max-age=31536000;
}
request_body {
max_size 2MB
}
@miscreants {
header_regexp User-Agent (?i).+msnbot.+|.+scrapbot.+|.+ExchangeWebServices.+
}
respond @miscreants 400
reverse_proxy http://localhost:8080 {
trusted_proxies x.x.x.x/26 x.x.x.x/26 x.x.x.x/26
header_up X-Forwarded-Ssl on
header_up X-Real-IP {client_ip}
# this is required to make pac4j WebContext.getRequestURL return port
# the OIDC endpoint validation uses this
header_up X-Forwarded-Port {http.request.port}
header_up X-Url-Scheme {scheme}
header_down content-security-policy {http.response.header.content-security-
policy}
}
}
# this is required for the health checks hitting the ip_address/actuator to
work
x.x.x.x x.x.x.x {
log {
output stdout
}
tls internal {
}
reverse_proxy http://localhost:8080 {
trusted_proxies x.x.x.x/26 x.x.x.x/26 x.x.x.x/26
header_up X-Forwarded-Ssl on
header_up X-Real-IP {client_ip}
# this is required to make pac4j WebContext.getRequestURL return port
# the OIDC endpoint validation uses this
header_up X-Forwarded-Port {http.request.port}
header_up X-Url-Scheme {scheme}
header_down content-security-policy {http.response.header.content-security-
policy}
}
}
On Wed, Jan 28, 2026 at 10:32 PM 'Derek Badge' via CAS Community <
[email protected]> wrote:
> I ran a similar setup for years, so this feels like a configuration issue.
> In my previous case, I had the embedded server on 8443, with the proxy
> handling 443 and communicating via SSL to that backend. I’m wondering if
> there’s a specific limitation with the embedded server here? Since I didn’t
> perform the initial setup on this system, I’m not sure on the original
> intent/sin/decision.
> On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote:
>
>> That setup is working fine for me, except my Tomcat isn’t embedded, it’s
>> running on its own, but only on localhost serving http only. Apache is
>> configured to terminate ssl and proxy requests to tomcat for the /cas
>> endpoint.
>>
>> On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote:
>>
>> My coworker and I have tried pretty much everything we can think of to
>> get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing
>> all of the HTTPS stuff, because (1) it is our standard configuration and we
>> don't hate our fellow sysadmins, and (2) we don't hate ourselves).
>>
>>
>> I'm not going to say up-front what our current configuration is because
>> (1) that's not the point of this question, and (2) it would poison the
>> conversation.
>>
>> Again, this isn't what "what we've done wrong" this is about "how is it
>> supposed to work".
>> If the answer is "do the TLS in java" don't expect a friendly response,
>> as that's not an answer. This is standard configuration which should work.
>> If it doesn't, then that's a bug. This is all on one host, between daemons
>> on the same host, and not on the open network.
>>
>> (signature block probably missing because I'm using the Google Groups
>> interface)
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>> --
> - Website: https://apereo.github.io/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/66a0eb0e-29ae-4567-8672-9de184bfaff6n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/66a0eb0e-29ae-4567-8672-9de184bfaff6n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
Jonathon Taylor
Information Security Office | University of California, Berkeley
[email protected]
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABzqDo-P6XwH-oDPsSZTW3E94-f_t%3DOwGy1591HQokD4b24v_A%40mail.gmail.com.
