Daniel, When we tried using cas.server.tomcat.http-proxy.secure=true it stopped dead because we weren't suppling it certificates to use for TLS inside of the embedded Tomcat. Are you sure that NGINX is forwarding HTTP and not HTTPS to the container?
On Thursday, January 29, 2026 at 11:42:11 AM UTC-5 Daniel Maldonado wrote: I run the embedded Tomcat at 8080 and terminate the certificate on an NGINX server, which connects to the Tomcat server. Take a look at these CAS options: server.ssl.enabled=false server.port=8080 cas.server.tomcat.http-proxy.enabled=true cas.server.tomcat.http-proxy.protocol=HTTP/1.1 cas.server.tomcat.http-proxy.secure=true cas.server.tomcat.http-proxy.scheme=https server.servlet.context-path=/ So you can use something like: ProxyPass "/" "http://cas-server:8080/"; ProxyPassReverse "/" "http://cas-server:8080/"; in your Apache server. On Thursday, January 29, 2026 at 1:32:44 AM UTC-5 Derek Badge wrote: I ran a similar setup for years, so this feels like a configuration issue. In my previous case, I had the embedded server on 8443, with the proxy handling 443 and communicating via SSL to that backend. I’m wondering if there’s a specific limitation with the embedded server here? Since I didn’t perform the initial setup on this system, I’m not sure on the original intent/sin/decision. On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote: That setup is working fine for me, except my Tomcat isn’t embedded, it’s running on its own, but only on localhost serving http only. Apache is configured to terminate ssl and proxy requests to tomcat for the /cas endpoint. On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote: My coworker and I have tried pretty much everything we can think of to get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing all of the HTTPS stuff, because (1) it is our standard configuration and we don't hate our fellow sysadmins, and (2) we don't hate ourselves). I'm not going to say up-front what our current configuration is because (1) that's not the point of this question, and (2) it would poison the conversation. Again, this isn't what "what we've done wrong" this is about "how is it supposed to work". If the answer is "do the TLS in java" don't expect a friendly response, as that's not an answer. This is standard configuration which should work. If it doesn't, then that's a bug. This is all on one host, between daemons on the same host, and not on the open network. (signature block probably missing because I'm using the Google Groups interface) -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3e0648c-2a4e-45b3-aed5-9e6f2aec2158n%40apereo.org.
