Our CAS server is currently a single node and is Apache -> AJP -> Tomcat. We
have multi-node CAS deployed in our development and QA environments behind
nginx, and we are likely to deploy them to production prior to this Summer.
All of our SPs are proxied by nginx, including Zimbra (which has its own nginx
bundled with it). Not every SP is Java based, nor does the college host every
SP. The SPs that are hosted on site use PHP CAS, Drupal CAS, and the Java CAS
clients. We also have Apache with mod_auth_cas deployed in front of some
services (e.g. Internet2 Grouper, mailman).
Here is a the nginx config from our QA environment:
---- START ----
upstream casqa {
ip_hash;
server casqa0.dev.lafayette.edu:443;
server casqa1.dev.lafayette.edu:443;
}
server {
listen 139.147.166.122:80;
server_name casqa.dev.lafayette.edu casqa;
access_log /var/log/nginx/casqa.dev.lafayette.edu_access;
error_log /var/log/nginx/casqa.dev.lafayette.edu_error;
location / {
rewrite ^(.*) https://casqa.lafayette.edu$1 permanent;
}
}
#
# HTTPS server configuration
#
server {
listen 139.147.166.122:443;
server_name casqa.lafayette.edu casqa;
access_log /var/log/nginx/casqa.dev.lafayette.edu_sslaccess;
error_log /var/log/nginx/casqa.dev.lafayette.edu_sslerror;
ssl on;
ssl_certificate /etc/nginx/ssl.crt/casqa.dev.lafayette.edu.crt;
ssl_certificate_key /etc/nginx/ssl.key/casqa.dev.lafayette.edu;
ssl_trusted_certificate /etc/nginx/ssl.crt/incommon_sha2_ca_bundle.pem;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
location / {
proxy_pass https://casqa;
}
}
---- END ----
We are using the "ip_hash" directive because the Jasig-CAS server keeps some
kind of session state (Spring Webflow maybe?) that causes it to not behave
correctly if a client browser bounces back and forth between nodes. We use
Hazelcast on the back end to distribute the ticket store. Since you are only
working with single-node, you won't need those setups.
The CAS client configurations generally are no different than if you were
working with a single CAS server directly.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
----- Original Message -----
From: "jieryn" <[email protected]>
To: [email protected]
Sent: Tuesday, April 21, 2015 7:27:30 PM
Subject: Re: [cas-user] CAS && Nginx
I have a single CAS node running in Tomcat.
I have multiple applications each running in their own Tomcat as the
root context.
Right now, the user just goes to the applications directly, and Tomcat
serves the entire request. The application uses the
org.jasig.cas.client.authentication.AuthenticationFilter with
org.jasig.cas.client.validation.Cas10TicketValidationFilter defined in
the application web.xml to perform authentication. All http requests
get redirected via web.xml security constraint CONFIDENTIAL to go to
https (plus we use HSTS to help the user for next time). We use Linux
iptables to direct all :80 and :443 to :8080 and :8443 which the
Tomcat instance is bound via non-privileged user. We also use Linux
iptables to restrict all :8080 and :8443 traffic to only be sourced
from the localhost.
I want to introduce nginx on the low ports, :80 and :443, in order to
terminate the SSL and hopefully get the CAS authentication taken care
of, as well as leverage advanced stuff like SPDY/HTTP2. Then just pass
the striped request through to Tomcat for servicing. I think nginx
needs to be the SSL and CAS endpoint in order to use SPDY in nginx,
but I very well may be wrong, and would like to be shown so.
I have no working setup for nginx + CAS. Can you sanitize and share
your configuration? It would be great..
THANKS!
On Tue, Apr 21, 2015 at 12:07 PM, Waldbieser, Carl
<[email protected]> wrote:
>
> We use nginx in front of CAS-proteted services at Lafayette.
> Can you share any details of your setup?
> Do you have just a single CAS node?
>
> Where does the communication break down? Can you not browse to CAS? Does
> the redirect to the service fail? Is the service not able to perform the
> back channel validation?
>
> Thanks,
> Carl Waldbieser
> ITS System Programmer
> Lafayette College
>
> ----- Original Message -----
> From: "jieryn" <[email protected]>
> To: [email protected]
> Sent: Tuesday, April 21, 2015 9:44:11 AM
> Subject: Re: [cas-user] CAS && Nginx
>
> I appreciate your patience to detail these answers, but I think I may
> not have explained myself well.
>
> "I'd like to have nginx be the CAS and SSL endpoint and then proxy all
> requests to Tomcat." I mean, I want nginx in front of all my
> CAS-protected resources. I run CAS inside Tomcat with SSL. I have
> other applications in other Tomcat instances, also protected by SSL.
> When everything goes from Tomcat to Tomcat, it's just fine. I want to
> speed up performance for users by leveraging nginx+spdy support. I can
> get nginx working, I can get nginx+spdy working, I can even get
> nginx+spdy+proxy working for non-CAS protected applications.
>
> I can not get nginx working in front of a CAS-protected application.
>
> On Tue, Apr 21, 2015 at 7:33 AM, Jérôme LELEU <[email protected]> wrote:
>> Hi,
>>
>> You just need to run your CAS server on port 8080, using Tomcat or Jetty or
>> whatever applications server you want.
>>
>> A tomcat example (server.xml):
>>
>> <?xml version='1.0' encoding='utf-8'?>
>>
>> <Server port="8005" shutdown="SHUTDOWN">
>>
>> <Listener className="org.apache.catalina.core.JasperListener" />
>> <Listener
>> className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
>> rmiRegistryPortPlatform="8088"
>> rmiServerPortPlatform="8089"
>> useLocalPorts="false" />
>>
>> <Service name="Catalina">
>>
>> <Executor
>> name="tomcatThreadPool"
>> namePrefix="tomcat-http--"
>> maxThreads="200"
>> minSpareThreads="30"
>> maxIdleTime="10000" />
>>
>> <Connector
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> bindOnInit="false"
>> executor="tomcatThreadPool"
>> port="8080"
>> redirectPort="443"
>> enableLookups="false" />
>>
>> <Engine name="Catalina" defaultHost="localhost">
>>
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="${tomcat.logs.directory}/access" prefix="access_log."
>> suffix=".log" pattern="%t | %{X-Forwarded-For}i | %l | %r | %s | %b
>> | %D | %{Referer}i | %{User-Agent}i"
>> resolveHosts="false" fileDateFormat="yyyy-MM-dd.HH" />
>>
>> <Host name="localhost" appBase="webapps"
>> unpackWARs="false" autoDeploy="false">
>>
>> <Context path="/" docBase="/data/tomcat/mycasserver"
>> reloadable="false" />
>>
>> </Host>
>> </Engine>
>> </Service>
>> </Server>
>>
>> Best regards,
>> Jérôme
>>
>>
>> 2015-04-21 13:16 GMT+02:00 jieryn <[email protected]>:
>>>
>>> Thanks, but this doesn't take CAS into account at all....
>>>
>>> On Apr 21, 2015 02:39, "Jérôme LELEU" <[email protected]> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I did it successfully and you'll find a lot of resources on internet
>>>> about Nginx configuration.
>>>> Here is an example:
>>>>
>>>> server {
>>>>
>>>> listen 80;
>>>> listen 443 ssl;
>>>> ssl_certificate /data/nginx/certs/ssl-bundle.crt;
>>>> ssl_certificate_key /data/nginx/certs/private_key_wildcard.key;
>>>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
>>>> ssl_ciphers HIGH:!aNULL:!MD5;
>>>>
>>>> server_name your.example.com
>>>>
>>>> error_page 502 504 /error.html;
>>>>
>>>> location ~ ^/(error.html) {
>>>> root /data/nginx/www;
>>>> }
>>>>
>>>> location / {
>>>> proxy_set_header X-Forwarded-For $remote_addr;
>>>> proxy_set_header X-Forwarded-Host $host;
>>>> proxy_set_header X-Forwarded-Proto $scheme;
>>>> proxy_pass http://localhost:8080/;
>>>> proxy_read_timeout 10s;
>>>> proxy_send_timeout 10s;
>>>> }
>>>> }
>>>>
>>>>
>>>> Best regards,
>>>> Jérôme
>>>>
>>>>
>>>> 2015-04-21 0:40 GMT+02:00 jieryn <[email protected]>:
>>>>>
>>>>> Does anyone have this working? In any capacity?
>>>>>
>>>>> I'd like to have nginx be the CAS and SSL endpoint and then proxy all
>>>>> requests to Tomcat.
>>>>>
>>>>> I have been unsuccessful to even have nginx sit in front of an
>>>>> otherwise working CAS-ified application on http/https and just proxy
>>>>> everything straight on through.
>>>>>
>>>>> Any help is appreciated, thanks!
>>>>>
>>>>> --
>>>>> You are currently subscribed to [email protected] as:
>>>>> [email protected]
>>>>> To unsubscribe, change settings or access archives, see
>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>>
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
