Problem attempting to use Apache 2.2 mod_proxy_http and mod_shib w/ShibUseHeaders simultaneously

Steve Siirila sfs at umn.edu
Thu Jan 26 00:32:59 GMT 2012 

On Wed, Jan 25, 2012 at 5:36 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > It is the lack of the 'content-length' header in particular that our
> application
> > complains about on the POST request.  However, the application will also
> be
> > needing additional Shib-specific headers (locally-defined attributes)
> that are
> > also not getting passed.  Additionally, the x-forwwarded-* headers go
> > missing as well as the 'connection' header.  What could be stripping
> these
> > headers upon turning on ShibUseHeaders?  I assume ShibSP is doing this.
>
> It's not. The SP has no involvement in this whatsoever. It sets the
> request headers on the Apache request object. After that, anything that
> happens is the Apache handler that actually serves the request.
>

Sorry, I specifically meant the Apache mod_shib module -- which is bundled
in my "ShibSP" software.

>
> > Does anyone run a proxy that is Shib-protected?  Are you using
> > ShibUseHeaders?  We are running Apache 2.2 and ShibSP 2.4.3.
>
> I believe we have one in front of a Tomcat server, but I don't know if any
> of those headers are "missing" or any other details, just that they did it.
> I don't know if the proxy end needs the headers option or if it just sets
> them for the proxied hop directly based on environment variables.
>
> Care to share your Apache configuration -- in particular, the Shib- and
Proxy-related lines?  Here's what I'm using in case anyone sees something
obviously wrong (I've pared it down a lot):

Listen 160.94.xxx.yyy:80
Listen 160.94.xxx.yyy:443
Listen 160.94.xxx.yyy:4443

LoadModule log_config_module libexec/mod_log_config.so
LoadModule ssl_module libexec/mod_ssl.so
LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/mod_shib_22.so
LoadModule rewrite_module libexec/mod_rewrite.so
LoadModule proxy_module libexec/mod_proxy.so
LoadModule proxy_http_module libexec/mod_proxy_http.so

SSLProxyEngine On
ProxyPass / https://localhost/
ProxyPassReverse / https://localhost

<Location />
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    require valid-user
</Location>

ServerTokens Full
ServerSignature On

SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/opt/apache/...
SSLSessionCacheTimeout  300
SSLMutex  file:/var/opt/apache/...
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!ADH:!NULL
SSLCertificateFile /etc/opt/apache/.../srv.crt
SSLCertificateKeyFile /etc/opt/apache/.../srv.key

<VirtualHost _default_:80>
    CustomLog /var/opt/apache/.../access-80 combined
    ErrorLog /var/opt/apache/.../errors-80
    SSLEngine off
    RewriteEngine On
    RewriteRule ^/ https://###.umn.edu [L,R]
</VirtualHost>

<VirtualHost _default_:4443>
    CustomLog /var/opt/apache/.../access-4443 combined
    ErrorLog /var/opt/apache/.../errors-4443
    SSLEngine on
</VirtualHost>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120125/d72e1712/attachment-0001.html

More information about the users mailing list