IIS 7.5 Server behind an F5 Reverse Proxy

Cantor, Scott cantor.2 at osu.edu
Fri Sep 5 16:02:48 EDT 2014 

On 9/5/14, 1:51 PM, "Meiselman, Ellen" <emeiselm at med.umich.edu> wrote:
>
>We added a virtual directory called "/content/" to the SP content server
>which pointed to a real directory at the root of the server then added
>another directory inside it "ct" that points to the resources directory.

Right, I mean, the point is that as long as it's all virtual anyway, there
is no reason to create different paths on the proxy as on the resource
server.

>When I would try to access a resource:
>
>     https://proxyserver.com/content/ct/resource.htm
>
>it would redirect to the web root
>     https://proxyserver.com/content/

Redirect how? When? After what step?

> 
>Based on comparing the headers on working and non-working servers, we
>made a few more changes to shibboleth2.xml - mainly adding explicitly
>stated 443 port to the hostname
>
><Site id="1" name="proxyserver.com:443/content" scheme="https"
>port="443"/>
>
><Host name="proxyserver.com:443/content" authType="shibboleth"
>requireSession="false" scheme="https" port="443">
>             	 <Path name="ct" authType="shibboleth"
>requireSession="true"/>

No. Those "name" attributes are hostnames only. The fields are broken out
so that the code doesn't have to parse URL syntax to find out the intent.
You're fooling the code in some weird way that is not supported. Even if
it worked, I couldn't tell you why and I guarantee it won't keep working.

>1. When I got back to the office after vacation it STILL did not appear
>to work on my office computer! Only mine. Everyone else was working.  I
>cleared all cookies from the browser, cleared the cache, restarted the
>browser, but it still redirected to web root. Then I restarted the
>computer and it started working consistently for me. What caused this if
>not a cookie? We are starting to think that perhaps forms auto-fill was
>auto-filling an old incorrect signed statement into the form that is
>POSTed in the background back to the SP.

I have never heard of any auto-filling of the SAML forms.

>2. Is there any reason I should still go forward with changing the
>reverse proxy mapping that I halted?
>https://proxyserver.com/content/ ==> https://contentserver.com/content/

You can listen to me or not, I wrote the software, and I'm telling you
that you cannot put ports or schmes into the name field of a Site or Host
element. That is not a correct configuration.

-- Scott

More information about the users mailing list