Has shibd to run on the same server

Marc Kalberer info at programmers.ch
Wed Jul 30 12:34:06 EDT 2014 

Le 30/07/2014 18:27, Marc Kalberer a écrit :
> Le 30/07/2014 18:05, Cantor, Scott a écrit :
>> On 7/30/14, 11:46 AM, "Marc Kalberer"<info at programmers.ch>  wrote:
>>
>>> ProxyPass        /Shibboleth.sso
>>> https://www.leclimatentrenosmains.org/Shibboleth.sso/
>>> ProxyPassReverse /Shibboleth.sso
>>> https://www.leclimatentrenosmains.org/Shibboleth.sso/
>>> But ... no changes ....
>> I meant you have to *not* proxy them, but I don't have the most basic idea
>> what this system design looks like.
>>
>> Now you're talking about a reverse proxy in front of the SP, and that's
>> much more difficult to do. At minimum you have to completely virtualize
>> all kinds of settings on the back-end because the SP has to believe it's
>> running on the front-end. The Apache ServerName in back has to virtualize
>> the scheme, host, and port to match the proxy. And the metadata for the SP
>> needs to reflect the fact that the client is talking to the proxy, not the
>> back-end. This is very advanced stuff.
> maybe I wrongly describe the environment.
>     ServerName inside is "www.leclimatentrenosmains.org"
> there is no name changes, or what ever.
> My ProxyPass test was wrongly mentionned, it was just to specify that 
> I tried many different configurations / solutions
Just to be sure no saying wsomething wrong I ask the provider to test it 
internaly ( before the proxy)
I got a
Oui, je vous confirme. Par acquit de consience, j'ai même testé en 
court-circuitant le reverse proxy :

http7:~# curl -v 127.1.113.177:8080/Shibboleth.sso --header "Location: 
www.leclimatentrenosmains.org"
* About to connect() to 127.1.113.177 port 8080 (#0)
* Trying 127.1.113.177... connected
* Connected to 127.1.113.177 (127.1.113.177) port 8080 (#0)
 > GET /Shibboleth.sso HTTP/1.1
 > User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 
OpenSSL/0.9.8o zlib/1.2.3.3 libidn/1.8 libssh2/0.18
 > Host: 127.1.113.177:8080
 > Accept: */*
 > Location: www.leclimatentrenosmains.org
 >
< HTTP/1.1 302 Moved Temporarily
< Date: Wed, 30 Jul 2014 16:30:57 GMT
< Server: Apache/2.2
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
< Set-Cookie: 
SESSabebeedf35bb6c34586d08444bd78c3b=j11bnu7a0kggurnqmoogi0ds26r29nq1; 
expires=Fri, 22-Aug-2014 20:04:17 GMT; path=/
< Last-Modified: Wed, 30 Jul 2014 16:30:57 GMT
< location: /node/6
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
<
* Connection #0 to host 127.1.113.177 left intact
* Closing connection #0
>
>>> I just asked the provider, he told me that his proxy is 100% transparent,
>>> and he his absolutely sure that it could not intercept /Shibboleth.sso
>> I assumed the SP was on the front end. A proxy in front means there are a
>> lot of potential problems in play and there's not enough information to go
>> on to begin to suggest a fix.
>>
>> -- Scott
>>
>
> -- 
> *Programmers.ch*
> Développement WEB
> Solutions libres et Opensources
> Tel: ++41 76 44 888 72
> Site: http://www.programmers.ch

-- 
*Programmers.ch*
Développement WEB
Solutions libres et Opensources
Tel: ++41 76 44 888 72
Site: http://www.programmers.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140730/336d18e3/attachment-0001.html

More information about the users mailing list