A packet sniffer on either end would prove it, and tcpdump on Linux is a fantastic tool for that purpose. You don't need extensive knowledge of packets to use it; with HTTP, the traffic will appear as readable text, whereas with HTTPS, the encryption will make it unreadable.
Best regards, Derek Badge On Thu, Jan 29, 2026 at 11:50 AM Drew Northup <[email protected]> wrote: > Daniel, > When we tried using cas.server.tomcat.http-proxy.secure=true it stopped > dead because we weren't suppling it certificates to use for TLS inside of > the embedded Tomcat. Are you sure that NGINX is forwarding HTTP and not > HTTPS to the container? > > On Thursday, January 29, 2026 at 11:42:11 AM UTC-5 Daniel Maldonado wrote: > > I run the embedded Tomcat at 8080 and terminate the certificate on an > NGINX server, which connects to the Tomcat server. > > Take a look at these CAS options: > server.ssl.enabled=false > server.port=8080 > cas.server.tomcat.http-proxy.enabled=true > cas.server.tomcat.http-proxy.protocol=HTTP/1.1 > cas.server.tomcat.http-proxy.secure=true > cas.server.tomcat.http-proxy.scheme=https > server.servlet.context-path=/ > > So you can use something like: > > ProxyPass "/" "http://cas-server:8080/"; > ProxyPassReverse "/" "http://cas-server:8080/"; > > in your Apache server. > > > On Thursday, January 29, 2026 at 1:32:44 AM UTC-5 Derek Badge wrote: > > I ran a similar setup for years, so this feels like a configuration issue. > In my previous case, I had the embedded server on 8443, with the proxy > handling 443 and communicating via SSL to that backend. I’m wondering if > there’s a specific limitation with the embedded server here? Since I didn’t > perform the initial setup on this system, I’m not sure on the original > intent/sin/decision. > On Wednesday, January 28, 2026 at 10:49:39 PM UTC-5 AJ wrote: > > That setup is working fine for me, except my Tomcat isn’t embedded, it’s > running on its own, but only on localhost serving http only. Apache is > configured to terminate ssl and proxy requests to tomcat for the /cas > endpoint. > > On Jan 28, 2026, at 9:08 PM, Drew Northup <[email protected]> wrote: > > My coworker and I have tried pretty much everything we can think of to > get the embedded Tomcat CAS to work behind an Apache HTTPd (which is doing > all of the HTTPS stuff, because (1) it is our standard configuration and we > don't hate our fellow sysadmins, and (2) we don't hate ourselves). > > > I'm not going to say up-front what our current configuration is because > (1) that's not the point of this question, and (2) it would poison the > conversation. > > Again, this isn't what "what we've done wrong" this is about "how is it > supposed to work". > If the answer is "do the TLS in java" don't expect a friendly response, as > that's not an answer. This is standard configuration which should work. If > it doesn't, then that's a bug. This is all on one host, between daemons on > the same host, and not on the open network. > > (signature block probably missing because I'm using the Google Groups > interface) > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/26818e29-12bd-421a-97aa-9e4f94e3db3cn%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/FMB8OqgJnQA/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3e0648c-2a4e-45b3-aed5-9e6f2aec2158n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/e3e0648c-2a4e-45b3-aed5-9e6f2aec2158n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADvUoW2OwGT-WCDaLRZmpPzf7tR%3D9_g8RgBgUBNRwKtR4df7hA%40mail.gmail.com.
