On 04/04/2011 22:28, Jorge Infante Osorio wrote: > Hi Mark. > > -----Mensaje original----- > De: Mark Thomas [mailto:ma...@apache.org] > Enviado el: viernes, 25 de marzo de 2011 12:57 > Para: Tomcat Users List > Asunto: Re: reverse proxy with SSO using CAS. > > On 25/03/2011 16:35, Jorge Infante Osorio wrote: >> I have an issue in reverse proxy with apache, tomcat and SSO using CAS. >> >> The problem is that my reverse proxy work just fine when I use an >> Apache Server as the reverse proxy with two back-end tomcats. >> >> But when the I include SSO with CAS to authenticate the user with >> access to the tomcat servers the internal redirections are missing to >> the users that use the reverse proxy and I don´t know why. >> >> Can anyone have any idea on this? > > Does the reverse proxy modify the URL in anyway? If so how? > > Mark > > > This is my reverse proxy configuration: > **************************************
I removed the commented out lines for clarity. > LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so > LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so > LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so > > LoadFile /usr/lib/libxml2.so > LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so > LoadModule xml2enc_module /usr/lib/apache2/modules/mod_xml2enc.so > > ProxyRequests off > > # the CAS server > ProxyPass /cas-web/ http://casaf.uci.cu:8079/cas-web/ > > #phpCAS client > ProxyPass /cascliente/ http://casaf.uci.cu:80/cascliente/ > #Liferay server > ProxyPass / http://casaf.uci.cu:8080/ > > ProxyPassReverse /cascliente/ http://casaf.uci.cu:80/cascliente/ > ProxyPassReverse /cas-web/ http://casaf.uci.cu:8079/cas-web/ > ProxyPassReverse / http://casaf.uci.cu:8080/ I usually place the ProxyPassReverse line directly below the ProxyPass line so I can check the two match. > ProxyPassReverseCookiePath /cas-web/ http://casaf.uci.cu:8079/cas-web/ This is wrong. It should only contain paths. It should probably be: ProxyPassReverseCookiePath /cas-web / > ProxyHTMLEnable On I always use mod_substitute since that is distributed with httpd. > ProxyHTMLURLMap http://casaf.uci.cu:8079/cas-web /cas-web > ProxyHTMLURLMap http://casaf.uci.cu:8080/ / > ProxyHTMLURLMap http://casaf.uci.cu:80/cascliente /cascliente Those don't look right to me. I'd expect something like: ProxyHTMLURLMap http://casaf.uci.cu:8079 http://<httpdhostname> ProxyHTMLURLMap http://casaf.uci.cu:8080 http://<httpdhostname> ProxyHTMLURLMap http://casaf.uci.cu http://<httpdhostname> > The reverse proxy don´t change the URL. > In this moment I have two problem: > 1. Pass the cookie in the navigator from and application to another. I used > ProxyPassReverseCookiePath with not success. You are looking in the right place. CAS uses both cookies and it also embeds URLs in login pages and if running behind a reverse proxy these can need tweaking. Since you aren't changing the URL paths the changes should be minimal (the ports may need tweaking). Also check the CAS configuration for URLs that need to be tweaked. Work you way through the login process monitoring each request and response with LiveHttpHeaders or Fiddler etc. Check the headers and request/response bodies and fix one stage before you move on to the next. > 2. Use the CAS server with https. I don´t know how configure the proxy > server to do that. Get CAS working first and worry about this later. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
