Re: Reverse proxy and HTTPS

Thu, 20 Nov 2008 16:20:22 -0800

David,

The reason that your "Successful" scenario works, I think, is because you have told your browser to accept the cert on https://www.applicationhost.com:8443/application.  When you tell Apache to proxy to that same point, Apache doesn't trust that cert.  This is what I think is happening.

If this is indeed what's happening, why not use the same approach that you have used to have Apache talk to CAS?  Use mod_proxy_ajp, and avoid the performance hit from re-encryption.  If I understand your setup correctly, you don't want anyone to access https://www.applicationhost.com:8443/application with their browsers directly.

If removing reverse proxy is not an option, then either get a signed cert or convince Apache to trust your self-signed cert.

Adam

David Whitehurst wrote:
I am unable to get CAS to work in a particular situation and I would like to try to explain the issue to see if anyone has any ideas.  When my installation began Apache was not being used and HTTP was employed only to use CAS on JBoss as an authentication mechanism and SSO was not a concern.  The application architecture consisted of presentation application services on presentation servers and business application services on business servers.  CAS was originally installed on the presentation servers.  Once that was working, Apache was added to provide reverse proxy and hide the service hosts whether they were business server only or if two-part architecture the presentation server.  In either case, the service host was hidden using reverse proxy on the Apache and CAS server at that time.
 
Next, CAS was extracted from the presentation server and placed on an Apache/CAS/JBoss server so that CAS was fully isolated from any application server need.  Then HTTPS was employed.  First, Apache would have a certificate after openSSL created a key and a signing request.  Then, the application (presentation) server would use a signing request created using Java keytool for Tomcat in JBoss.  Reverse proxy does not work.  We get internal server error.
 
If we remove the reverse proxy and use a URL from the application host with the 8443 port, things work fine.  So I'll try to pseudo-diagram the failure configuration and then the successful.  We want to use reverse proxy so that all traffic goes through Apache.
 
Fails:
https://www.apachehost.com Apache->8009 (AJP) ->JBoss (CAS) .... Apache certificate config in httpd.conf
ProxyPass and Reverse /application https://www.applicationhost.com/application:8443 ... Certificate Tomcat configured
 
Successful:
https://www.apachehost.com Apache->8009 (AJP) ->JBoss (CAS) ... Apache certificate config in httpd.conf
Service URL https://www.applicationhost.com:8443/application ... Certificate Tomcat configured
No reverse proxy
 
We want to be able to use https without port number and also hide the URL for the service host.
 
Any suggestions or comments?
 
Thanks,

David
 

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
  



begin:vcard
fn:Adam Rybicki
n:Rybicki;Adam
org:Unicon, Inc.;Professional Services
adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States
email;internet:[EMAIL PROTECTED]
tel;work:+1-480-558-2400
tel;home:+1-310-265-8286
tel;cell:+1-310-980-2758
x-mozilla-html:FALSE
url:http://www.unicon.net/
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to