Problem attempting to use Apache 2.2 mod_proxy_http and mod_shib w/ShibUseHeaders simultaneously

Steve Siirila sfs at umn.edu
Wed Jan 25 21:26:49 GMT 2012 

As the subject describes, we are having a problem when attempting to use
mod_shib w/ShibUseHeaders in conjunction with mod_proxy_http (proxying to a
non-apache web service listening on localhost).

The application running on localhost sees the following HTTP headers in
response to a GET and a POST request when NOT using "ShibUseHeaders" ('###'
and xxx.yyy used below to mask potentially private data):

Jan 25 11:35:46 [14013] HTTP GET request, URL: /session/###
Jan 25 11:35:46 [14013] Header: accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Jan 25 11:35:46 [14013] Header: accept-language: en-us,en;q=0.5
Jan 25 11:35:46 [14013] Header: x-forwarded-server: #####.umn.edu
Jan 25 11:35:46 [14013] Header: user-agent: Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Jan 25 11:35:46 [14013] Header: connection: Keep-Alive
Jan 25 11:35:46 [14013] Header: referer: https://#####.umn.edu/session/###
Jan 25 11:35:46 [14013] Header: host: localhost
Jan 25 11:35:46 [14013] Header: accept-encoding: gzip, deflate
Jan 25 11:35:46 [14013] Header: x-forwarded-host: #####.umn.edu
Jan 25 11:35:46 [14013] Header: dnt: 1
Jan 25 11:35:46 [14013] Header: cookie: testuser=###; umnAuthV2=###;
_shibsession_###=_###
Jan 25 11:35:46 [14013] Header: x-forwarded-for: 63.231.xxx.yyy
Jan 25 11:35:46 [14013] Header: accept-charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7

Jan 25 11:35:49 [14054] HTTP POST request, URL: /session/###
Jan 25 11:35:49 [14054] Header: accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Jan 25 11:35:49 [14054] Header: accept-language: en-us,en;q=0.5
Jan 25 11:35:49 [14054] Header: content-type:
application/x-www-form-urlencoded
Jan 25 11:35:49 [14054] Header: x-forwarded-server: ###.umn.edu
Jan 25 11:35:49 [14054] Header: user-agent: Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Jan 25 11:35:49 [14054] Header: connection: Keep-Alive
Jan 25 11:35:49 [14054] Header: referer: https://###.umn.edu/session/###
Jan 25 11:35:49 [14054] Header: content-length: 54
Jan 25 11:35:49 [14054] Header: host: localhost
Jan 25 11:35:49 [14054] Header: accept-encoding: gzip, deflate
Jan 25 11:35:49 [14054] Header: x-forwarded-host: ###.umn.edu
Jan 25 11:35:49 [14054] Header: cookie: testuser=###; umnAuthV2=###;
_shibsession_###=_###
Jan 25 11:35:49 [14054] Header: x-forwarded-for: 63.231.xxx.yyy
Jan 25 11:35:49 [14054] Header: accept-charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7

However, adding the single configuration line "ShibUseHeaders on" causes a
different sent of HTTP headers to be seen on the same GET and POST requests:

Jan 25 11:34:32 [13946] HTTP GET request, URL: /session/###
Jan 25 11:34:32 [13946] Header: accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Jan 25 11:34:32 [13946] Header: accept-language: en-us,en;q=0.5
Jan 25 11:34:32 [13946] Header: user-agent: Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Jan 25 11:34:32 [13946] Header: referer: https://###.umn.edu/session/###
Jan 25 11:34:32 [13946] Header: shib-session-id: _###
Jan 25 11:34:32 [13946] Header: host: localhost
Jan 25 11:34:32 [13946] Header: shib-authncontext-class:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Jan 25 11:34:32 [13946] Header: shib-session-index: ###
Jan 25 11:34:32 [13946] Header: accept-encoding: gzip, deflate
Jan 25 11:34:32 [13946] Header: shib-authentication-instant:
2012-01-25T17:28:47.860Z
Jan 25 11:34:32 [13946] Header: shib-authentication-method:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Jan 25 11:34:32 [13946] Header: shib-identity-provider: https://###.
umn.edu/idp/###
Jan 25 11:34:32 [13946] Header: dnt: 1
Jan 25 11:34:32 [13946] Header: cookie: testuser=###; umnAuthV2=###;
_shibsession_###=_###
Jan 25 11:34:32 [13946] Header: accept-charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7

Jan 25 11:34:35 [14006] HTTP POST request, URL: /session/###
Jan 25 11:34:35 [14006] Header: accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Jan 25 11:34:35 [14006] Header: accept-language: en-us,en;q=0.5
Jan 25 11:34:35 [14006] Header: content-type:
application/x-www-form-urlencoded
Jan 25 11:34:35 [14006] Header: user-agent: Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Jan 25 11:34:35 [14006] Header: referer: https://###.umn.edu/session/###
Jan 25 11:34:35 [14006] Header: shib-session-id: _###
Jan 25 11:34:35 [14006] Header: host: localhost
Jan 25 11:34:35 [14006] Header: shib-authncontext-class:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Jan 25 11:34:35 [14006] Header: shib-session-index: ###
Jan 25 11:34:35 [14006] Header: accept-encoding: gzip, deflate
Jan 25 11:34:35 [14006] Header: shib-authentication-instant:
2012-01-25T17:28:47.860Z
Jan 25 11:34:35 [14006] Header: shib-authentication-method:
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Jan 25 11:34:35 [14006] Header: shib-identity-provider: https://###.
shib.umn.edu/idp/###
Jan 25 11:34:35 [14006] Header: cookie: testuser=###; umnAuthV2=###;
_shibsession_###=_###
Jan 25 11:34:35 [14006] Header: accept-charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Jan 25 11:34:35 [14006] Invalid https request: POST /session/###

What you can see from the above is that the following headers ARE NO LONGER
PRESENT AS THEY SHOULD BE (while additional Shib-related headers do get
added as seen above):

GET:
x-forwarded-server: #####.umn.edu
connection: Keep-Alive
x-forwarded-host: #####.umn.edu
x-forwarded-for: 63.231.xxx.yyy

POST:

x-forwarded-server: ###.umn.edu
connection: Keep-Alive
content-length: 54
x-forwarded-host: ###.umn.edu
x-forwarded-for: 63.231.xxx.yyy

It is the lack of the 'content-length' header in particular that our
application complains about on the POST request.  However, the application
will also be needing additional Shib-specific headers (locally-defined
attributes) that are also not getting passed.  Additionally, the
x-forwwarded-* headers go missing as well as the 'connection' header.  What
could be stripping these headers upon turning on ShibUseHeaders?  I assume
ShibSP is doing this.

Does anyone run a proxy that is Shib-protected?  Are you using
ShibUseHeaders?  We are running Apache 2.2 and ShibSP 2.4.3.

Thanks in advance for any assistance you can provide!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120125/8a7d58fe/attachment.html

More information about the users mailing list