Has shibd to run on the same server
Marc Kalberer
info at programmers.ch
Wed Jul 30 12:34:06 EDT 2014
Le 30/07/2014 18:27, Marc Kalberer a écrit :
> Le 30/07/2014 18:05, Cantor, Scott a écrit :
>> On 7/30/14, 11:46 AM, "Marc Kalberer"<info at programmers.ch> wrote:
>>
>>> ProxyPass /Shibboleth.sso
>>> https://www.leclimatentrenosmains.org/Shibboleth.sso/
>>> ProxyPassReverse /Shibboleth.sso
>>> https://www.leclimatentrenosmains.org/Shibboleth.sso/
>>> But ... no changes ....
>> I meant you have to *not* proxy them, but I don't have the most basic idea
>> what this system design looks like.
>>
>> Now you're talking about a reverse proxy in front of the SP, and that's
>> much more difficult to do. At minimum you have to completely virtualize
>> all kinds of settings on the back-end because the SP has to believe it's
>> running on the front-end. The Apache ServerName in back has to virtualize
>> the scheme, host, and port to match the proxy. And the metadata for the SP
>> needs to reflect the fact that the client is talking to the proxy, not the
>> back-end. This is very advanced stuff.
> maybe I wrongly describe the environment.
> ServerName inside is "www.leclimatentrenosmains.org"
> there is no name changes, or what ever.
> My ProxyPass test was wrongly mentionned, it was just to specify that
> I tried many different configurations / solutions
Just to be sure no saying wsomething wrong I ask the provider to test it
internaly ( before the proxy)
I got a
Oui, je vous confirme. Par acquit de consience, j'ai même testé en
court-circuitant le reverse proxy :
http7:~# curl -v 127.1.113.177:8080/Shibboleth.sso --header "Location:
www.leclimatentrenosmains.org"
* About to connect() to 127.1.113.177 port 8080 (#0)
* Trying 127.1.113.177... connected
* Connected to 127.1.113.177 (127.1.113.177) port 8080 (#0)
> GET /Shibboleth.sso HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0
OpenSSL/0.9.8o zlib/1.2.3.3 libidn/1.8 libssh2/0.18
> Host: 127.1.113.177:8080
> Accept: */*
> Location: www.leclimatentrenosmains.org
>
< HTTP/1.1 302 Moved Temporarily
< Date: Wed, 30 Jul 2014 16:30:57 GMT
< Server: Apache/2.2
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
< Set-Cookie:
SESSabebeedf35bb6c34586d08444bd78c3b=j11bnu7a0kggurnqmoogi0ds26r29nq1;
expires=Fri, 22-Aug-2014 20:04:17 GMT; path=/
< Last-Modified: Wed, 30 Jul 2014 16:30:57 GMT
< location: /node/6
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
<
* Connection #0 to host 127.1.113.177 left intact
* Closing connection #0
>
>>> I just asked the provider, he told me that his proxy is 100% transparent,
>>> and he his absolutely sure that it could not intercept /Shibboleth.sso
>> I assumed the SP was on the front end. A proxy in front means there are a
>> lot of potential problems in play and there's not enough information to go
>> on to begin to suggest a fix.
>>
>> -- Scott
>>
>
> --
> *Programmers.ch*
> Développement WEB
> Solutions libres et Opensources
> Tel: ++41 76 44 888 72
> Site: http://www.programmers.ch
--
*Programmers.ch*
Développement WEB
Solutions libres et Opensources
Tel: ++41 76 44 888 72
Site: http://www.programmers.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140730/336d18e3/attachment-0001.html
More information about the users
mailing list