SP Reverse proxy and handlerSSL

Brian Mathis brian.mathis at gmail.com
Wed Nov 28 10:03:26 EST 2012

On Tue, Nov 27, 2012 at 10:18 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 11/27/12 10:01 PM, "Brian Mathis" <brian.mathis at gmail.com> wrote:
> >I do not have handlerSSL set in my shibboleth2.xml config for the
> >Sessions, so the default is "true".  However, I am not seeing any
> >problems in this configuration, and so far all my tests are working.  I
> >tried to set it to "false", and also explicitly set to
> > "true", but it does not seem to affect the operation of the SP.
> The only time handlerSSL is going to matter is if you're serving http://
> requests. Your server here is virtualized to think everything it handles
> is https://, so there's no case where it would come into play no matter
> what it's set to.
> >What's going on here?  I don't want to miss something that might crop up
> >later.
> The only thing I can think you're concerned about is a log warning, but
> leaving aside that the purpose of the warning is just to guard against
> non-ideal settings you don't intend to use, if your server is hosting
> nothing but https:// requests, there's no reason to ever set handlerSSL to
> false (or indeed to set it at all in such a case).
> -- Scott

Thanks for the explanation.  My only concern was that the docs were telling
me one thing, but I was seeing something else, so I wanted to make sure I
was not missing something.

The missing information was the full explanation of how apache presents the
virtualized scheme to the module, which you covered here.  It's not an
obvious thing and until now I've never seen ServerName used in this way,
even though the apache docs do mention it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121128/8b9aca5d/attachment-0001.html 

More information about the users mailing list