I have a single CAS node running in Tomcat. I have multiple applications each running in their own Tomcat as the root context.
Right now, the user just goes to the applications directly, and Tomcat serves the entire request. The application uses the org.jasig.cas.client.authentication.AuthenticationFilter with org.jasig.cas.client.validation.Cas10TicketValidationFilter defined in the application web.xml to perform authentication. All http requests get redirected via web.xml security constraint CONFIDENTIAL to go to https (plus we use HSTS to help the user for next time). We use Linux iptables to direct all :80 and :443 to :8080 and :8443 which the Tomcat instance is bound via non-privileged user. We also use Linux iptables to restrict all :8080 and :8443 traffic to only be sourced from the localhost. I want to introduce nginx on the low ports, :80 and :443, in order to terminate the SSL and hopefully get the CAS authentication taken care of, as well as leverage advanced stuff like SPDY/HTTP2. Then just pass the striped request through to Tomcat for servicing. I think nginx needs to be the SSL and CAS endpoint in order to use SPDY in nginx, but I very well may be wrong, and would like to be shown so. I have no working setup for nginx + CAS. Can you sanitize and share your configuration? It would be great.. THANKS! On Tue, Apr 21, 2015 at 12:07 PM, Waldbieser, Carl <waldb...@lafayette.edu> wrote: > > We use nginx in front of CAS-proteted services at Lafayette. > Can you share any details of your setup? > Do you have just a single CAS node? > > Where does the communication break down? Can you not browse to CAS? Does > the redirect to the service fail? Is the service not able to perform the > back channel validation? > > Thanks, > Carl Waldbieser > ITS System Programmer > Lafayette College > > ----- Original Message ----- > From: "jieryn" <jie...@gmail.com> > To: cas-user@lists.jasig.org > Sent: Tuesday, April 21, 2015 9:44:11 AM > Subject: Re: [cas-user] CAS && Nginx > > I appreciate your patience to detail these answers, but I think I may > not have explained myself well. > > "I'd like to have nginx be the CAS and SSL endpoint and then proxy all > requests to Tomcat." I mean, I want nginx in front of all my > CAS-protected resources. I run CAS inside Tomcat with SSL. I have > other applications in other Tomcat instances, also protected by SSL. > When everything goes from Tomcat to Tomcat, it's just fine. I want to > speed up performance for users by leveraging nginx+spdy support. I can > get nginx working, I can get nginx+spdy working, I can even get > nginx+spdy+proxy working for non-CAS protected applications. > > I can not get nginx working in front of a CAS-protected application. > > On Tue, Apr 21, 2015 at 7:33 AM, Jérôme LELEU <lel...@gmail.com> wrote: >> Hi, >> >> You just need to run your CAS server on port 8080, using Tomcat or Jetty or >> whatever applications server you want. >> >> A tomcat example (server.xml): >> >> <?xml version='1.0' encoding='utf-8'?> >> >> <Server port="8005" shutdown="SHUTDOWN"> >> >> <Listener className="org.apache.catalina.core.JasperListener" /> >> <Listener >> className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" >> rmiRegistryPortPlatform="8088" >> rmiServerPortPlatform="8089" >> useLocalPorts="false" /> >> >> <Service name="Catalina"> >> >> <Executor >> name="tomcatThreadPool" >> namePrefix="tomcat-http--" >> maxThreads="200" >> minSpareThreads="30" >> maxIdleTime="10000" /> >> >> <Connector >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> bindOnInit="false" >> executor="tomcatThreadPool" >> port="8080" >> redirectPort="443" >> enableLookups="false" /> >> >> <Engine name="Catalina" defaultHost="localhost"> >> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="${tomcat.logs.directory}/access" prefix="access_log." >> suffix=".log" pattern="%t | %{X-Forwarded-For}i | %l | %r | %s | %b >> | %D | %{Referer}i | %{User-Agent}i" >> resolveHosts="false" fileDateFormat="yyyy-MM-dd.HH" /> >> >> <Host name="localhost" appBase="webapps" >> unpackWARs="false" autoDeploy="false"> >> >> <Context path="/" docBase="/data/tomcat/mycasserver" >> reloadable="false" /> >> >> </Host> >> </Engine> >> </Service> >> </Server> >> >> Best regards, >> Jérôme >> >> >> 2015-04-21 13:16 GMT+02:00 jieryn <jie...@gmail.com>: >>> >>> Thanks, but this doesn't take CAS into account at all.... >>> >>> On Apr 21, 2015 02:39, "Jérôme LELEU" <lel...@gmail.com> wrote: >>>> >>>> Hi, >>>> >>>> I did it successfully and you'll find a lot of resources on internet >>>> about Nginx configuration. >>>> Here is an example: >>>> >>>> server { >>>> >>>> listen 80; >>>> listen 443 ssl; >>>> ssl_certificate /data/nginx/certs/ssl-bundle.crt; >>>> ssl_certificate_key /data/nginx/certs/private_key_wildcard.key; >>>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; >>>> ssl_ciphers HIGH:!aNULL:!MD5; >>>> >>>> server_name your.example.com >>>> >>>> error_page 502 504 /error.html; >>>> >>>> location ~ ^/(error.html) { >>>> root /data/nginx/www; >>>> } >>>> >>>> location / { >>>> proxy_set_header X-Forwarded-For $remote_addr; >>>> proxy_set_header X-Forwarded-Host $host; >>>> proxy_set_header X-Forwarded-Proto $scheme; >>>> proxy_pass http://localhost:8080/; >>>> proxy_read_timeout 10s; >>>> proxy_send_timeout 10s; >>>> } >>>> } >>>> >>>> >>>> Best regards, >>>> Jérôme >>>> >>>> >>>> 2015-04-21 0:40 GMT+02:00 jieryn <jie...@gmail.com>: >>>>> >>>>> Does anyone have this working? In any capacity? >>>>> >>>>> I'd like to have nginx be the CAS and SSL endpoint and then proxy all >>>>> requests to Tomcat. >>>>> >>>>> I have been unsuccessful to even have nginx sit in front of an >>>>> otherwise working CAS-ified application on http/https and just proxy >>>>> everything straight on through. >>>>> >>>>> Any help is appreciated, thanks! >>>>> >>>>> -- >>>>> You are currently subscribed to cas-user@lists.jasig.org as: >>>>> lel...@gmail.com >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>>> -- >>>> You are currently subscribed to cas-user@lists.jasig.org as: >>>> jie...@gmail.com >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> lel...@gmail.com >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> jie...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > waldb...@lafayette.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: jie...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user