Dear CAS users, I have two instances of CAS 4.0.0 in a cluster, with a load balancer in front of them. The balancer has 2 ports open: 8080 for HTTP and 8443 for HTTPS. The nodes have only HTTP open - 8084 - and all traffic from the balancer is forwarded to this port, i.e. HTTPS is terminated on the balancer. I cannot change the balancer configuration, so opening an HTTPS port will do nothing.
With this configuration, I ran into some issues: - CAS thought it was running on an unsecure port (which was technically correct) - Some URLs generated by a CAS plugin were incorrect (e.g. http://host:8443/something), the unsecure protocol was mixed with the secure port. I did some research and found a solution on this mailing list here: https://groups.google.com/forum/#!topic/jasig-cas-user/woCEKAA-E2w Now my Tomcat connector config (server.xml) looks like this: <Connector port="8084" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" proxyPort="8443" scheme="https" secure="true" /> The above issues have been resolved but another one has appeared: The login form seems to have stopped working. Any POST of the login form to .../login results in a redirect to the same URL, using GET. No ticket-granting ticket is created and nothing is written to the log, neither an audit record nor an error. The redirected URL simply displays the login form again. Here are HTTP headers of the original POST request: Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Connection keep-alive Cookie JSESSIONID=716D5C355EEAEA402CD3C74DB65256C9; s_nr=1408087372966-Repeat; s_lv=1408087372966; _ga=GA1.2.963000228.1404480273; s_vnum=1410007455210%26vn%3D4 Host qacas4.idc.com:8443 Referer https://my-balancer-host-name:8443/cas/login User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Parameters of the POST: _eventId submit execution e4s1 lt LT-4-anbT64BEcaWOZJdfEejhYbfAzV1X9j-idc-cas-4 password Mellon submit LOGIN username casuser And the response: Cache-Control no-cache, no-store Content-Length 0 Date Fri, 22 Aug 2014 14:25:24 GMT Expires Thu, 01 Jan 1970 00:00:00 GMT Location https://my-balancer-host-name:8443/cas/login Pragma no-cache Server Apache-Coyote/1.1 Set-Cookie JSESSIONID=A9FB2F64E0A5A9167BCEDC60C4DFAC3F; Path=/cas/; Secure; HttpOnly Has anybody successfully deployed CAS 4.0.0 in a cluster behind a load balancer with a similar configuration? If yes, did you run into the same issues? It looks like something inside CAS (maybe a security check or so) is preventing the ticket from being created. Maybe this feature is new in CAS 4 and my connector configuration would work fine with CAS 3, I don't know. Thank you very much for your replies! Best Regards, Jarda -------------------------------------------------- Jaroslav Kačer IDC | Application Developer Phone: +420723914123 Mail: jka...@idc.com -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user