Heh.... Of course right after I posted this, I dug into the code and
found out that this appears to be "by design". We had the config setting
CASLocalCacheInsecure set to OFF, which apparently redirects all
requests to the CAS server with the service=https://. If we set it to
ON, it will send all requests as http://.
That will fix the problem that we are seeing since it allows the http
requests through, but it creates an additional bother for those sites
that are https. Now we will get (as far as I can tell):
https request
CAS picks up and sends to CAS server as http
back to CAS client with CAS Ticket and http
CAS validate on the http
Apache sees http so rewrites to https
CAS validate on the rewrite to https
This isn't ideal, but works for our scheme. If only there was a way to
have the best of both worlds. Perhaps I'll check out the new
mod_auth_cas
Dallas
On Tue, 14 Aug 2007, Dallas Wisehaupt wrote:
> I'm seeing something really odd today.
>
> We have a server that hosts multiple domains. For some of those domains
> all traffic is redirected to https. For others, it is not. This all
> works well in practice. However, I want to add CAS authentication to a
> particular domain so that that data will be protected behind a common
> auth. This is where it gets odd.
>
> In the httpd.conf file we have rewrite rules like below:
>
> RewriteCond %{HTTPS} !=on
> RewriteCond %{HTTP_HOST} !=a.scranton.edu
> RewriteCond %{HTTP_HOST} !=b.scranton.edu
> RewriteCond %{HTTP_HOST} !=c.scranton.edu
> RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
>
> So, anything coming to this host that isn't a, b, or c, get's all
> traffic rewritten to the https side.
>
> In the virtual host config for c.scranton.edu we have the following just
> to ensure it isn't getting rewritten:
> RewriteCond %{HTTPS} !=on
> RewriteCond %{HTTP_HOST} !=.scranton.edu
> RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
> RewriteRule ^/(.*) - [PT]
>
> In the rewrite logs, I see the urls getting passed through and not
> rewritten.
>
> Now, if I turn on CAS auth on the cgi-bin directory for c.scranton.edu
> using the following it gets wierd:
> <Location /location/>
> AuthType CAS
> AuthName "CAS"
> require valid-user
> </Location>
>
> The rewrite logs show the urls as being passed through as before,
> however, on the CAS server, the service is being advertised as
> https://c.scranton.edu/location/. This causes an issue since the cert
> does not match the domain name for c.scranton.edu and throws a popup.
>
> Now, we have never seen this issue before because all of the sites we
> are protecting with apache/mod_cas are actually running https. So, it is
> entirely possible that it is being masked.
>
> Has anyone else seen this behavior? We are running apache 2.0.52 on RHEL
> 4, with a mod_cas from the Case Western SVN modified to allow larger
> usernames.
>
> Dallas
>
--
Dallas Wisehaupt Senior Systems Administrator
[EMAIL PROTECTED] The University of Scranton
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
