Re: [cas-user] Mod_auth_cas ServiceTicket
Thanks for the hint & instant responses Ray.
Regards
Ramakrishna G
+91 8792114542
On Sat, Aug 4, 2018 at 1:07 AM, Ray Bon wrote:
> Ramakrishna,
>
> This is what I set on my test machine:
>
> upstream casssl {
> server localhost:8491;
> server localhost:8492 backup;
> }
>
> location /cas {
> proxy_pass https://casssl;
> }
>
>
> The backup means that all requests go through 8491 unless it is down. I
> think there are other ways of setting the load balance.
>
> Is it a failed validation or does the ticket never arrive for validation?
> What are the log messages?
>
> Ray
>
> On Sat, 2018-08-04 at 00:37 +0530, Ramakrishna G wrote:
>
> Ray,
>
> Can you please elaborate this "If you set nginx to be sticky, will
> validation succeed?" Any example for this.
>
> Also in cas logs I could see ticket was not validated when I go through
> NGINX
>
> Thanks
> Ramakrishna G
>
>
> On Fri, Aug 3, 2018 at 11:02 PM, Ray Bon wrote:
>
> Ramakrishna,
>
> This sounds like slow ticket replication. Does redis sentinel have
> multiple stores?
> If you set nginx to be sticky, will validation succeed?
>
> Check your cas logs to see if the ticket is being validated. I think the
> cas client tries to validate the ticket using https.
>
> You could simplify your config:
> location /cas
> {
> proxy_pass http://cas.server/cas
> }
>
> Ray
>
> On Fri, 2018-08-03 at 22:28 +0530, Ramakrishna G wrote:
>
> Hello all,
>
> I am using Mod_auth_cas and HA- Cas server behind a loadbalancer.
>
>
> Whenever I set CASValidateURL to one of the cas servers it works fine. But
> when I send to cas via NGINX server then it says "Unauthorized error" in
> browser.
>
> My Nginx has
>
> location /cas/login
> {
> proxy_pass http://cas_server/cas/login;
> }
>
> location /cas/serviceValidate
> {
> proxy_pass http://cas_server/cas/serviceValidate;
> }
>
> location /secured
> {
> proxy_pass http:// application
> _servers/api/services;
> }
>
>
> My cas.conf has
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> CASCertificatePath /etc/pki/tls/certs/
> CASCookiePath /var/cache/mod_auth_cas/
> CASLoginURL http://localhost:81/cas/login // Works fine
> CASValidateURL http://localhost:81/cas/serviceValidate // Pointing to
> NGINX
> #CASValidateURL http://localhost:8080/cas/serviceValidate // Pointing to
> one of the cas server - Works fine
> CASDebug On
> LogLevel debug
>
> No error as well. I am not sure where I am going wrong.
>
> Can anyone help please.
>
> Thanks
> Ramakrishna G
>
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/1533317546.2860.92.camel%40uvic.ca
>
> .
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1533325036.2860.105.camel%40uvic.ca
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-jWuQQrf%3DL%2BDrgHJ8q5r7Zj-scA7EVHJ86_GEnmOsJUQ%40mail.gmail.com.
Re: [cas-user] Mod_auth_cas ServiceTicket
Ramakrishna,
This is what I set on my test machine:
upstream casssl {
server localhost:8491;
server localhost:8492 backup;
}
location /cas {
proxy_pass https://casssl;
}
The backup means that all requests go through 8491 unless it is down. I think
there are other ways of setting the load balance.
Is it a failed validation or does the ticket never arrive for validation? What
are the log messages?
Ray
On Sat, 2018-08-04 at 00:37 +0530, Ramakrishna G wrote:
Ray,
Can you please elaborate this "If you set nginx to be sticky, will validation
succeed?" Any example for this.
Also in cas logs I could see ticket was not validated when I go through NGINX
Thanks
Ramakrishna G
On Fri, Aug 3, 2018 at 11:02 PM, Ray Bon mailto:r...@uvic.ca>>
wrote:
Ramakrishna,
This sounds like slow ticket replication. Does redis sentinel have multiple
stores?
If you set nginx to be sticky, will validation succeed?
Check your cas logs to see if the ticket is being validated. I think the cas
client tries to validate the ticket using https.
You could simplify your config:
location /cas
{
proxy_pass http://cas.server/cas
}
Ray
On Fri, 2018-08-03 at 22:28 +0530, Ramakrishna G wrote:
Hello all,
I am using Mod_auth_cas and HA- Cas server behind a loadbalancer.
Whenever I set CASValidateURL to one of the cas servers it works fine. But when
I send to cas via NGINX server then it says "Unauthorized error" in browser.
My Nginx has
location /cas/login
{
proxy_pass http://cas_server/cas/login;
}
location /cas/serviceValidate
{
proxy_pass http://cas_server/cas/serviceValidate;
}
location /secured
{
proxy_pass
http://application_servers/api/services;
}
My cas.conf has
LoadModule auth_cas_module modules/mod_auth_cas.so
CASCertificatePath /etc/pki/tls/certs/
CASCookiePath /var/cache/mod_auth_cas/
CASLoginURL http://localhost:81/cas/login // Works fine
CASValidateURL http://localhost:81/cas/serviceValidate // Pointing to NGINX
#CASValidateURL http://localhost:8080/cas/serviceValidate // Pointing to one
of the cas server - Works fine
CASDebug On
LogLevel debug
No error as well. I am not sure where I am going wrong.
Can anyone help please.
Thanks
Ramakrishna G
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533317546.2860.92.camel%40uvic.ca.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533325036.2860.105.camel%40uvic.ca.
Re: [cas-user] Mod_auth_cas ServiceTicket
Do you mean to say ip-hash as load balancing mechnaism. I have tried that
as well. But No Luck
Thanks
Ramakrishna G
On Sat, Aug 4, 2018 at 12:37 AM, Ramakrishna G wrote:
> Ray,
>
> Can you please elaborate this "If you set nginx to be sticky, will
> validation succeed?" Any example for this.
>
> Also in cas logs I could see ticket was not validated when I go through
> NGINX
>
> Thanks
> Ramakrishna G
>
>
> On Fri, Aug 3, 2018 at 11:02 PM, Ray Bon wrote:
>
>> Ramakrishna,
>>
>> This sounds like slow ticket replication. Does redis sentinel have
>> multiple stores?
>> If you set nginx to be sticky, will validation succeed?
>>
>> Check your cas logs to see if the ticket is being validated. I think the
>> cas client tries to validate the ticket using https.
>>
>> You could simplify your config:
>> location /cas
>> {
>> proxy_pass http://cas.server/cas
>> }
>>
>> Ray
>>
>> On Fri, 2018-08-03 at 22:28 +0530, Ramakrishna G wrote:
>>
>> Hello all,
>>
>> I am using Mod_auth_cas and HA- Cas server behind a loadbalancer.
>>
>>
>> Whenever I set CASValidateURL to one of the cas servers it works fine.
>> But when I send to cas via NGINX server then it says "Unauthorized error"
>> in browser.
>>
>> My Nginx has
>>
>> location /cas/login
>> {
>> proxy_pass http://cas_server/cas/login;
>> }
>>
>> location /cas/serviceValidate
>> {
>> proxy_pass http://cas_server/cas/serviceValidate;
>> }
>>
>> location /secured
>> {
>> proxy_pass http:// application
>> _servers/api/services;
>> }
>>
>>
>> My cas.conf has
>>
>> LoadModule auth_cas_module modules/mod_auth_cas.so
>> CASCertificatePath /etc/pki/tls/certs/
>> CASCookiePath /var/cache/mod_auth_cas/
>> CASLoginURL http://localhost:81/cas/login // Works fine
>> CASValidateURL http://localhost:81/cas/serviceValidate // Pointing to
>> NGINX
>> #CASValidateURL http://localhost:8080/cas/serviceValidate // Pointing
>> to one of the cas server - Works fine
>> CASDebug On
>> LogLevel debug
>>
>> No error as well. I am not sure where I am going wrong.
>>
>> Can anyone help please.
>>
>> Thanks
>> Ramakrishna G
>>
>>
>>
>> --
>> Ray Bon
>> Programmer analyst
>> Development Services, University Systems
>> 2507218831 | CLE 019 | r...@uvic.ca
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/1533317546.2860.92.camel%40uvic.ca
>>
>> .
>>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-LqEhFKkme7fABvcqWkgVQo6RKW-d7TBHUHHrFrZhkDQ%40mail.gmail.com.
Re: [cas-user] Mod_auth_cas ServiceTicket
Ray,
Can you please elaborate this "If you set nginx to be sticky, will
validation succeed?" Any example for this.
Also in cas logs I could see ticket was not validated when I go through
NGINX
Thanks
Ramakrishna G
On Fri, Aug 3, 2018 at 11:02 PM, Ray Bon wrote:
> Ramakrishna,
>
> This sounds like slow ticket replication. Does redis sentinel have
> multiple stores?
> If you set nginx to be sticky, will validation succeed?
>
> Check your cas logs to see if the ticket is being validated. I think the
> cas client tries to validate the ticket using https.
>
> You could simplify your config:
> location /cas
> {
> proxy_pass http://cas.server/cas
> }
>
> Ray
>
> On Fri, 2018-08-03 at 22:28 +0530, Ramakrishna G wrote:
>
> Hello all,
>
> I am using Mod_auth_cas and HA- Cas server behind a loadbalancer.
>
>
> Whenever I set CASValidateURL to one of the cas servers it works fine. But
> when I send to cas via NGINX server then it says "Unauthorized error" in
> browser.
>
> My Nginx has
>
> location /cas/login
> {
> proxy_pass http://cas_server/cas/login;
> }
>
> location /cas/serviceValidate
> {
> proxy_pass http://cas_server/cas/serviceValidate;
> }
>
> location /secured
> {
> proxy_pass http:// application
> _servers/api/services;
> }
>
>
> My cas.conf has
>
> LoadModule auth_cas_module modules/mod_auth_cas.so
> CASCertificatePath /etc/pki/tls/certs/
> CASCookiePath /var/cache/mod_auth_cas/
> CASLoginURL http://localhost:81/cas/login // Works fine
> CASValidateURL http://localhost:81/cas/serviceValidate // Pointing to
> NGINX
> #CASValidateURL http://localhost:8080/cas/serviceValidate // Pointing to
> one of the cas server - Works fine
> CASDebug On
> LogLevel debug
>
> No error as well. I am not sure where I am going wrong.
>
> Can anyone help please.
>
> Thanks
> Ramakrishna G
>
>
>
> --
> Ray Bon
> Programmer analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | r...@uvic.ca
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/1533317546.2860.92.camel%40uvic.ca
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9BTNQHqRqeZOqC-3%2Bv0H1-b3xDaMaiitq-87H_iSU_Pw%40mail.gmail.com.
Re: [cas-user] Mod_auth_cas ServiceTicket
Ramakrishna,
This sounds like slow ticket replication. Does redis sentinel have multiple
stores?
If you set nginx to be sticky, will validation succeed?
Check your cas logs to see if the ticket is being validated. I think the cas
client tries to validate the ticket using https.
You could simplify your config:
location /cas
{
proxy_pass http://cas.server/cas
}
Ray
On Fri, 2018-08-03 at 22:28 +0530, Ramakrishna G wrote:
Hello all,
I am using Mod_auth_cas and HA- Cas server behind a loadbalancer.
Whenever I set CASValidateURL to one of the cas servers it works fine. But when
I send to cas via NGINX server then it says "Unauthorized error" in browser.
My Nginx has
location /cas/login
{
proxy_pass http://cas_server/cas/login;
}
location /cas/serviceValidate
{
proxy_pass http://cas_server/cas/serviceValidate;
}
location /secured
{
proxy_pass
http://application_servers/api/services;
}
My cas.conf has
LoadModule auth_cas_module modules/mod_auth_cas.so
CASCertificatePath /etc/pki/tls/certs/
CASCookiePath /var/cache/mod_auth_cas/
CASLoginURL http://localhost:81/cas/login // Works fine
CASValidateURL http://localhost:81/cas/serviceValidate // Pointing to NGINX
#CASValidateURL http://localhost:8080/cas/serviceValidate // Pointing to one
of the cas server - Works fine
CASDebug On
LogLevel debug
No error as well. I am not sure where I am going wrong.
Can anyone help please.
Thanks
Ramakrishna G
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533317546.2860.92.camel%40uvic.ca.
