The key thing is that the software *think* it is running securely, and at whatever port it *thinks* it should be at to do so. And you do that by using the those attributes on the Tomcat connector config:
proxyPort="443" scheme="https" secure="true" It doesn't matter which port you actually have it coming in on, just add the above to the Tomcat connector which is actually "receiving/presenting" the traffic to your CAS Server. You should be able to make that any random port you want, as long as the above are set. What you are doing with the above is intentionally "fooling" the software to think it is running securely. Of course, you should only be doing this if you have otherwise assured yourselves that, indeed, the software *will* be running securely because of the precautions/config/process around your load balancer and the traffic from it to your server. This This same approach is common with folks running the Shib IdP behind a load balancer, and the above sort of settings are similarly needed. On Nov 5, 2012, at 12:34 PM, Jason Everling wrote: > Ok so here is the setup, > > Load Balancer in front of 2 CAS Servers both running Apache2 using mod_jk > accessing CAS on port 80 through Apache, > > Load Balancer accepts SSL Connection and proxy's the client to the backend > web server on port 80 > > We have been using HAPROXY and STUNNEL for almost all of our other apps and > it works great, I haven't gotten CAS to work because Stunnel terminates the > SSL and presents the certificate and connects the client to Apache Port 80 on > the backend servers. > > Ill try adding the config below but our tomcat doesnt listen on 8080 or 8443, > they are using the AJP Connector on 8009 and Apache picks up the request and > serves up the content. > > Would I add that config in the tomcat xml under the AJP 8009 Connector > section? > > On Mon, Nov 5, 2012 at 8:50 AM, Marvin Addison <[email protected]> > wrote: > > What if we are using the same type of setup but using Tomcat with the Apache > AJP Proxy and not using the standard 8080 and 8443 Toimcat ports? I have > tried to do this and when I connect to SSL it connects fine but since we are > connecting to port 80 on the backend server through the load balancer CAS > keeps saying insecure even though the client's browser is https. > > I'm a bit confused by the mention of AJP and connecting to the back end on > port 80. In any case you need to set secure=true on the Tomcat connector > element of the container hosting CAS. The requirement for CAS is that > request.isSecure() returns true, which would be satisfied by secure=true. > See http://tomcat.apache.org/tomcat-7.0-doc/config/http.html and > http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html for more information. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > CONFIDENTIALITY NOTICE: > This e-mail together with any attachments is proprietary and confidential; > intended for only the recipient(s) named above and may contain information > that is privileged. You should not retain, copy or use this e-mail or any > attachments for any purpose, or disclose all or any part of the contents to > any person. Any views or opinions expressed in this e-mail are those of the > author and do not represent those of the Baptist School of Health > Professions. If you have received this e-mail in error, or are not the named > recipient(s), you are hereby notified that any review, dissemination, > distribution or copying of this communication is prohibited by the sender and > to do so might constitute a violation of the Electronic Communications > Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the > sender and delete this e-mail and any attachments from your computer. > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- Michael A. Grady Senior IAM Consultant, Unicon, Inc. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
