What's not working? We have it working.
server.port=8080
server.ssl.enabled=false
cas.server.tomcat.http-proxy.enabled=true
cas.server.tomcat.http-proxy.protocol=HTTP/1.1
cas.server.tomcat.http-proxy.secure=true
cas.server.tomcat.http-proxy.scheme=https
cas.server.prefix=${cas.server.name}/cas
In the CAS config. I don't think we're doing anything too special in the
proxy config. Unsure if this was for CAS or something else, but it is
part of our standard: RequestHeader set X-Forwarded-Proto "https"
On 2/2/26 08:52, Drew Northup wrote:
We tried a bunch of different ideas from different people here (and
otherwise). We attempted using the one distributed in the docker
container, but it is missing modules that we need. After a great deal
of futzing we got it to say "oh yeah, https", but only after stuffing
a 10-year self-signed certificate into it, which is a crappy
solution...yet it did stop puking up spurious "not HTTPS" errors.
However, each time we build one ourselves, which has the modules in it
that we need, we get a tons of the following warnings prior to fatal
errors:
2026-02-02 08:39:45,928 TRACE
[org.springframework.security.web.savedrequest.HttpSessionRequestCache]
- <matchingRequestParameterName is required for getMatchingRequest to
lookup a value, but not provided>
This indicates to me that there is a fatal error somewhere in the
build chain—somewhere we here haven't modified. Somebody please come
up with explanation indicating that isn't the case...please. As if the
build chain we are getting directly from Apereo and using with a stock
Amazon Corretto Java has a fatal error in it that's a major problem
for everyone.
On Wednesday, January 28, 2026 at 9:08:41 PM UTC-5 Drew Northup wrote:
My coworker and I have tried pretty much everything we can think
of to get the embedded Tomcat CAS to work behind an Apache HTTPd
(which is doing all of the HTTPS stuff, because (1) it is our
standard configuration and we don't hate our fellow sysadmins, and
(2) we don't hate ourselves).
I'm not going to say up-front what our current configuration is
because (1) that's not the point of this question, and (2) it
would poison the conversation.
Again, this isn't what "what we've done wrong" this is about "how
is it supposed to work".
If the answer is "do the TLS in java" don't expect a friendly
response, as that's not an answer. This is standard configuration
which should work. If it doesn't, then that's a bug. This is all
on one host, between daemons on the same host, and not on the open
network.
(signature block probably missing because I'm using the Google
Groups interface)
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5dff768-3358-4969-8726-5d96a986b099n%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5dff768-3358-4969-8726-5d96a986b099n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84498caa-81a2-4351-9170-a63d5073971d%40ndsu.edu.
