Bull's Eye!
We're using CAS in a reverse proxy environment. The real server
"www.secretsite.de" is the only one with a public IP. The backend server
have 192.168.25.*
Although the communication with the reverse proxy is SSL-secured
(https://www.secretsite.de), the internal communication reverse proxy
<-> backend server is unencrypted (here: port 5111 without SSL).
Our casified typo3 with mod_auth_cas:
<VirtualHost 192.168.25.70:5111>
SetEnv HTTPS on
DocumentRoot "/data/typo3/htdocs/"
ServerName https://www.secretsite.de:443
ServerAdmin [email protected]
ErrorLog logs/error_ssl
TransferLog logs/access_ssl
CASLoginURL "https://cas.secretsite.de/cas/login";
CASValidateURL "http://192.168.25.90:8080/cas/serviceValidate";
CASValidateServer Off
CASRootProxiedAs "https://www.secretsite.de";
CASIdleTimeout 60
LogLevel Debug
<Directory "/data/typo3/htdocs/">
AuthLDAPUrl
"ldap://192.168.25.30:389/ou=people,dc=secretsite,dc=de?uid?one"; NONE
AuthLDAPBindDN "uid=binduser,ou=specialusers,dc=de"
AuthLDAPBindPassword "password!"
require ldap-filter
|(employeeType=m)(employeeType=p)
AuthType Cas
</Directory>
</VirtualHost>
The CASRootProxiedAs is very important in this context. Omitting this
directive the rewrite is bogus: After the login at the CAS server the
redirect goes to http://www.secretsite.de:5111/...
And yes, we are using mod_rewrite with mod_proxy on our reverse proxy:
<VirtualHost 147.172.3.2:443>
SSLEngine on
ServerName https://www.secretsite.de:443
[...]
ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/(.*)$ \
http://192.168.25.70:5111/$1 \
[P,L]
</VirtualHost>
cu
Kevin
Am 31.05.2011 03:46, schrieb Smith, Matthew J.:
> Kevin,
>
> One more question -- do you use the "CASRootProxiedAs" directive in your
> Apache conf?
>
> Thanks,
> -Matt
>
> Matthew J. Smith
> University of Connecticut UITS
> [email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
