Nick Couchman <[email protected]> ezt írta (időpont: 2023. szept. 14., Cs, 15:47):
> Please see the following thread: > > https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95 > > The information there is specific to Nginx proxy, but you likely need to > update you proxy configuration to pass through additional headers that will > allow the redirect to be generated correctly. You'll also need to make > sure the RemoteIpValve is configured in Tomcat. > > Ok, nothing special config needed in Traefik, (neither the `sslheader` middleware hacks below) but the RemoteIpValve is the point. When I add the REMOTE_IP_VALVE_ENABLED: "true" to the container's environment variable list everything is working fine, all the X-Forwarded-* headers are parsed and used by Tomcat/guacamole. Thanks for the tip Gyula > -Nick > > On Thu, Sep 14, 2023 at 8:19 AM Szabó, Gyula <[email protected]> wrote: > >> Hi, >> >> I figured out the cause of the problem, but I can't solve it. >> >> ``` >> 11:39:26.228 [http-nio-8080-exec-6] ERROR c.onelogin.saml2.authn.SamlResponse >> - The response was received at >> http://guacamole.example.com/guacamole/api/ext/saml/callback instead of >> https://guacamole.example.com/guacamole/api/ext/saml/callback >> 11:39:26.229 [http-nio-8080-exec-6] WARN o.a.g.a.s.a. >> AssertionConsumerServiceResource - Authentication attempted with an >> invalid SAML response: SAML response did not pass validation: The response >> was received at >> http://guacamole.example.com/guacamole/api/ext/saml/callback instead of >> https://guacamole.example.com/guacamole/api/ext/saml/callback >> ``` >> >> The point is the URL protocol scheme: http vs. https. >> >> The Assertion Consumption Service at the >> https://guacamole.example.com/guacamole/api/ext/saml/callback endpoint, >> but in the traefik internal service at http://guacamole-app:8080 >> >> >> Traefik config: >> >> ``` >> http: >> middlewares: >> sslheader: >> headers: >> customRequestHeaders: >> X-Forwarded-Proto: "https,wss" >> services: >> guacamole-app: >> loadBalancer: >> servers: >> - url: "http://guacamole-app:8080/"; >> routers: >> guacamole-app: >> rule: "Host(`guacamole.example.com`) && PathPrefix(`/guacamole`)" >> tls: >> certResolver: acmeresolver >> entryPoints: >> - websecure >> service: "guacamole-app@file" >> middlewares: >> - sslheader >> ``` >> >> You see I try to add the x-forwarded-proto, but not too match success. >> >> Is there anybody to run this stack with success? >> >> How can I config the gaucamole docker container to change the http to >> https in the request? >> >> Thanks a lot. >> >> Gyula >> >
