Problem attempting to use Apache 2.2 mod_proxy_http and mod_shib w/ShibUseHeaders simultaneously

Steve Siirila sfs at
Thu Jan 26 00:32:59 GMT 2012

On Wed, Jan 25, 2012 at 5:36 PM, Cantor, Scott <cantor.2 at> wrote:

> > It is the lack of the 'content-length' header in particular that our
> application
> > complains about on the POST request.  However, the application will also
> be
> > needing additional Shib-specific headers (locally-defined attributes)
> that are
> > also not getting passed.  Additionally, the x-forwwarded-* headers go
> > missing as well as the 'connection' header.  What could be stripping
> these
> > headers upon turning on ShibUseHeaders?  I assume ShibSP is doing this.
> It's not. The SP has no involvement in this whatsoever. It sets the
> request headers on the Apache request object. After that, anything that
> happens is the Apache handler that actually serves the request.

Sorry, I specifically meant the Apache mod_shib module -- which is bundled
in my "ShibSP" software.

> > Does anyone run a proxy that is Shib-protected?  Are you using
> > ShibUseHeaders?  We are running Apache 2.2 and ShibSP 2.4.3.
> I believe we have one in front of a Tomcat server, but I don't know if any
> of those headers are "missing" or any other details, just that they did it.
> I don't know if the proxy end needs the headers option or if it just sets
> them for the proxied hop directly based on environment variables.
> Care to share your Apache configuration -- in particular, the Shib- and
Proxy-related lines?  Here's what I'm using in case anyone sees something
obviously wrong (I've pared it down a lot):


LoadModule log_config_module libexec/
LoadModule ssl_module libexec/
LoadModule mod_shib /opt/shibboleth-sp/lib/shibboleth/
LoadModule rewrite_module libexec/
LoadModule proxy_module libexec/
LoadModule proxy_http_module libexec/

SSLProxyEngine On
ProxyPass / https://localhost/
ProxyPassReverse / https://localhost

<Location />
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibUseHeaders On
    require valid-user

ServerTokens Full
ServerSignature On

SSLRandomSeed connect builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/opt/apache/...
SSLSessionCacheTimeout  300
SSLMutex  file:/var/opt/apache/...
SSLEngine on
SSLCertificateFile /etc/opt/apache/.../srv.crt
SSLCertificateKeyFile /etc/opt/apache/.../srv.key

<VirtualHost _default_:80>
    CustomLog /var/opt/apache/.../access-80 combined
    ErrorLog /var/opt/apache/.../errors-80
    SSLEngine off
    RewriteEngine On
    RewriteRule ^/ [L,R]

<VirtualHost _default_:4443>
    CustomLog /var/opt/apache/.../access-4443 combined
    ErrorLog /var/opt/apache/.../errors-4443
    SSLEngine on
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list