RE: [cas-user] Bug with mod_auth_cas

Smith, Matthew J. Tue, 31 May 2011 05:14:45 -0700

Got it.  There is an extra URL encode in the CASRootProxiedAs codepath.  We'll 
whip up a patch against trunk.

-Matt

Matthew J. Smith
University of Connecticut UITS
[email protected]
________________________________________
From: Kevin Richter [[email protected]]
Sent: Tuesday, May 31, 2011 4:22 AM
To: [email protected]
Cc: Smith, Matthew J.
Subject: Re: [cas-user] Bug with mod_auth_cas

Bull's Eye!
We're using CAS in a reverse proxy environment. The real server
"www.secretsite.de" is the only one with a public IP. The backend server
have 192.168.25.*
Although the communication with the reverse proxy is SSL-secured
(https://www.secretsite.de), the internal communication reverse proxy
<-> backend server is unencrypted (here: port 5111 without SSL).

Our casified typo3 with mod_auth_cas:

<VirtualHost 192.168.25.70:5111>
        SetEnv HTTPS on

        DocumentRoot    "/data/typo3/htdocs/"
        ServerName      https://www.secretsite.de:443
        ServerAdmin     [email protected]

        ErrorLog        logs/error_ssl
        TransferLog     logs/access_ssl

        CASLoginURL     "https://cas.secretsite.de/cas/login";
        CASValidateURL  "http://192.168.25.90:8080/cas/serviceValidate";
        CASValidateServer Off
        CASRootProxiedAs  "https://www.secretsite.de";
        CASIdleTimeout  60
        LogLevel        Debug

        <Directory "/data/typo3/htdocs/">
                AuthLDAPUrl
"ldap://192.168.25.30:389/ou=people,dc=secretsite,dc=de?uid?one"; NONE
                AuthLDAPBindDN          "uid=binduser,ou=specialusers,dc=de"
                AuthLDAPBindPassword    "password!"
                require                 ldap-filter
|(employeeType=m)(employeeType=p)
                AuthType                Cas
        </Directory>

</VirtualHost>

The CASRootProxiedAs is very important in this context. Omitting this
directive the rewrite is bogus: After the login at the CAS server the
redirect goes to http://www.secretsite.de:5111/...

And yes, we are using mod_rewrite with mod_proxy on our reverse proxy:

<VirtualHost 147.172.3.2:443>

SSLEngine       on
ServerName      https://www.secretsite.de:443

[...]

ProxyRequests           Off
ProxyPreserveHost       On

RewriteEngine   On
RewriteRule     ^/(.*)$ \
                http://192.168.25.70:5111/$1 \
                [P,L]

</VirtualHost>

cu
Kevin

Am 31.05.2011 03:46, schrieb Smith, Matthew J.:
> Kevin,
>
> One more question -- do you use the "CASRootProxiedAs" directive in your 
> Apache conf?
>
> Thanks,
> -Matt
>
> Matthew J. Smith
> University of Connecticut UITS
> [email protected]

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Bug with mod_auth_cas

Reply via email to