We use nginx in front of CAS-proteted services at Lafayette. Can you share any details of your setup? Do you have just a single CAS node?
Where does the communication break down? Can you not browse to CAS? Does the redirect to the service fail? Is the service not able to perform the back channel validation? Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "jieryn" <[email protected]> To: [email protected] Sent: Tuesday, April 21, 2015 9:44:11 AM Subject: Re: [cas-user] CAS && Nginx I appreciate your patience to detail these answers, but I think I may not have explained myself well. "I'd like to have nginx be the CAS and SSL endpoint and then proxy all requests to Tomcat." I mean, I want nginx in front of all my CAS-protected resources. I run CAS inside Tomcat with SSL. I have other applications in other Tomcat instances, also protected by SSL. When everything goes from Tomcat to Tomcat, it's just fine. I want to speed up performance for users by leveraging nginx+spdy support. I can get nginx working, I can get nginx+spdy working, I can even get nginx+spdy+proxy working for non-CAS protected applications. I can not get nginx working in front of a CAS-protected application. On Tue, Apr 21, 2015 at 7:33 AM, Jérôme LELEU <[email protected]> wrote: > Hi, > > You just need to run your CAS server on port 8080, using Tomcat or Jetty or > whatever applications server you want. > > A tomcat example (server.xml): > > <?xml version='1.0' encoding='utf-8'?> > > <Server port="8005" shutdown="SHUTDOWN"> > > <Listener className="org.apache.catalina.core.JasperListener" /> > <Listener > className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" > rmiRegistryPortPlatform="8088" > rmiServerPortPlatform="8089" > useLocalPorts="false" /> > > <Service name="Catalina"> > > <Executor > name="tomcatThreadPool" > namePrefix="tomcat-http--" > maxThreads="200" > minSpareThreads="30" > maxIdleTime="10000" /> > > <Connector > protocol="org.apache.coyote.http11.Http11NioProtocol" > bindOnInit="false" > executor="tomcatThreadPool" > port="8080" > redirectPort="443" > enableLookups="false" /> > > <Engine name="Catalina" defaultHost="localhost"> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="${tomcat.logs.directory}/access" prefix="access_log." > suffix=".log" pattern="%t | %{X-Forwarded-For}i | %l | %r | %s | %b > | %D | %{Referer}i | %{User-Agent}i" > resolveHosts="false" fileDateFormat="yyyy-MM-dd.HH" /> > > <Host name="localhost" appBase="webapps" > unpackWARs="false" autoDeploy="false"> > > <Context path="/" docBase="/data/tomcat/mycasserver" > reloadable="false" /> > > </Host> > </Engine> > </Service> > </Server> > > Best regards, > Jérôme > > > 2015-04-21 13:16 GMT+02:00 jieryn <[email protected]>: >> >> Thanks, but this doesn't take CAS into account at all.... >> >> On Apr 21, 2015 02:39, "Jérôme LELEU" <[email protected]> wrote: >>> >>> Hi, >>> >>> I did it successfully and you'll find a lot of resources on internet >>> about Nginx configuration. >>> Here is an example: >>> >>> server { >>> >>> listen 80; >>> listen 443 ssl; >>> ssl_certificate /data/nginx/certs/ssl-bundle.crt; >>> ssl_certificate_key /data/nginx/certs/private_key_wildcard.key; >>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; >>> ssl_ciphers HIGH:!aNULL:!MD5; >>> >>> server_name your.example.com >>> >>> error_page 502 504 /error.html; >>> >>> location ~ ^/(error.html) { >>> root /data/nginx/www; >>> } >>> >>> location / { >>> proxy_set_header X-Forwarded-For $remote_addr; >>> proxy_set_header X-Forwarded-Host $host; >>> proxy_set_header X-Forwarded-Proto $scheme; >>> proxy_pass http://localhost:8080/; >>> proxy_read_timeout 10s; >>> proxy_send_timeout 10s; >>> } >>> } >>> >>> >>> Best regards, >>> Jérôme >>> >>> >>> 2015-04-21 0:40 GMT+02:00 jieryn <[email protected]>: >>>> >>>> Does anyone have this working? In any capacity? >>>> >>>> I'd like to have nginx be the CAS and SSL endpoint and then proxy all >>>> requests to Tomcat. >>>> >>>> I have been unsuccessful to even have nginx sit in front of an >>>> otherwise working CAS-ified application on http/https and just proxy >>>> everything straight on through. >>>> >>>> Any help is appreciated, thanks! >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
