Hello, The example below is interesting but Tomcat does have a native way of supporting this. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
RemoteIpValue works off the http headers that are provided (or can be provided)
by most reverse proxy set-ups. We use Pound as our reverse proxy and have the
following configuration for Pound. I would imagine something similar can be
done with mod_proxy in Apache HTTPD.
ListenHTTPS
Address 172.21.12.0
Port 443
xHTTP 4
Cert "/etc/pound/ourcert.pem"
HeadRemove "X-Forwarded-For"
HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"
Service
BackEnd
Address 192.168.53.24
Port 8080
End
BackEnd
Address 192.168.53.25
Port 8080
End
Session
Type IP
TTL 1200
End
End
End
The relevant bits are the HeadRemove and the AddHeader. The HeadRemove's take
out those http headers in case the requesting client is adding them for some
reason. Then because this listener is for https we add the header
"X-Forwarded-Proto: https" which tips Tomcat off that this request is coming in
over https.
On the Tomcat side we add the following RemoteIPValue settings to the Engine
section of our server.xml configuration.
<!-- Look at HTTP headers provided by the Reverse Proxies -->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto" />
Additionally we modify the AccessLogValue settings and add
requestAttributesEnabled="true" which gives us the correct client IP address in
our Tomcat access logs instead of the reverse proxy IP.
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b"
requestAttributesEnabled="true" />
Looking and mod_proxy documentation it looks like mod_proxy by default adds the
X-Forwarded-For header "When acting in a reverse-proxy mode".
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
In order to add the X-Forwarded-Proto header it looks like you need to use
mod_headers.
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
I imagine something like the following would work.
<VirtualHost *>
<Proxy http://127.0.0.1:8080/*>
Allow from all
</Proxy>
<LocationMatch "/myapp">
ProxyPassReverse http://127.0.0.1:8080/myapp
RequestHeader set X-Forwarded-Proto "https"
</LocationMatch>
</VirtualHost>
http://stackoverflow.com/questions/154441/set-up-an-http-proxy-to-insert-a-header
Thanks,
Jonathan
________________________________
From: Theodore F Fisher [[email protected]]
Sent: Friday, June 01, 2012 6:22
To: [email protected]
Subject: RE: [cas-user] Load Balancer SSL Off-Loading
Thanks for sharing that James. We have the same setup here and I need to bring
up a CAS server soon with need to address that situation. The head start
you’ve given me will help.
Ted F. Fisher
Server Administrator
323 Hayes Hall
Information Technology Services
Email: [email protected]<mailto:[email protected]>
Phone: 419.372.1626
[Description: BGSU]
From: James Parry [mailto:[email protected]]
Sent: Friday, June 01, 2012 4:31 AM
To: [email protected]
Subject: RE: [cas-user] Load Balancer SSL Off-Loading
Hi,
We use a very similar setup to this.
We also have hardware load balancer doing SSL offloading.
However we use Tomcat to host the CAS instance without any apache and mod_jk.
Tomcat is listening on port 8080 with no SSL.
Then in our tomcat server.xml we set tomcat to tell CAS application that that
in-fact its accessed via 443 with SSL(https protocol).
No whenever Cas requests the URL or items from serverlt container Tomcat will
pass you set values instead.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
proxyPort="443"
secure="true"
scheme="https"
SSLEnabled="false" />
This way Cas then doesn’t need to be changed or configured.
James Parry
Senior Software Engineer
MegaNexus Limited
From: Myn Harry [mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: 31 May 2012 21:47
To: [email protected]<mailto:[email protected]>
Subject: [cas-user] Load Balancer SSL Off-Loading
Hi:
We have an evaluation instance of CAS 3.4.11 up and running; the set-up is:
- SSL URL on load balancer
- Apache on VM, with mod_proxy connections to Tomcat (where CAS is installed)
At the moment, the CAS login page is showing message:"You are currently
accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In
order to have single sign on work, you MUST log in over HTTPS."
What is best approach for the message? The connections arriving on Tomcat will
always appear as HTTP as the HTTPS is off-loaded to the load-balancer.
Thanks.
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<<inline: image001.gif>>
