I've been struggling with this for a few days and I'm not any closer to a
solution. I am currently serving up CAS through Tomcat using mod_jk and Apache
2.
Everything appears to be configured properly, and the re-direct will work (with
the settings below) however, it uses the server name as the re-direct URL and
not the hostname specified in both the virtual host settings, the defaultHost
settings, or the workers.properties file.
So, here's the setup:
Two virtual hosts, one for 80 and 443. Both have the ServerName value set to
the correct URL. The hosts themselves are set to <url>:80 and <url>:443.
Both have the following AJP settings:
JkMount /* ajp13
Only the port 80 host has the following:
JkAutoAlias /opt/apache-tomcat-5.5.20/webapps
Include /opt/apache-tomcat-5.5.20/conf/jk/mod_jk.conf-auto
The workers.properties has the same host specified:
worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=<url>
worker.ajp13.type=ajp13
The server.xml file has the following connectors:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="443" protocol="AJP/1.3" />
In the web.xml in /cas/WEB-INF I have the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL
Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now, the redirect works but as I said, it doesn't use the <url> as specified in
the workers.properties and virtual host ServerName. It uses the actual server
name which is not the proxied address to the WAN (so it doesn't work
externally). Something tells me that I may be taking a much longer route than
necessary to ensure that all traffic to the /cas/login URL is over HTTPS (I'd
prefer a re-direct than an all out block). So, anyone have any ideas or
suggestions? Sorry for the length of the email.
d.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
