Apache as reverse proxy: "ShibUseHeaders On" strips some headers
Antonis Christofides
anthony at itia.ntua.gr
Fri May 22 07:50:09 EDT 2015
Hello,
The subject more or less says everything. With "ShibUseHeaders Off", I
sniff the communication between apache and the backend and I get this:
T 127.0.0.1:36655 -> 127.0.0.1:8003 [AP]
GET /antonis/ HTTP/1.1.
Host: www.itia.ntua.gr.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: en-US,en;q=0.5.
Accept-Encoding: gzip, deflate.
Cookie: vl_lang=en; csrftoken=[snipped]; sessionid=[snipped]; lang=2.
DNT: 1.
Cache-Control: max-age=0.
X-Scheme: https.
X-Forwarded-For: 2001:648:2000:a0:cd5f:6ed4:99e2:e87c.
X-Forwarded-Host: www.itia.ntua.gr.
X-Forwarded-Server: www.itia.ntua.gr.
Connection: close.
.
####
T 127.0.0.1:8003 -> 127.0.0.1:36655 [AP]
[Response follows]
But when I specify "ShibUseHeaders On" instead, I get this:
T 127.0.0.1:44163 -> 127.0.0.1:8003 [AP]
GET /antonis/ HTTP/1.1.
Host: www.itia.ntua.gr.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
Accept-Language: en-US,en;q=0.5.
Accept-Encoding: gzip, deflate.
Cookie: vl_lang=en; csrftoken=[snipped]; sessionid=[snipped]; lang=2.
DNT: 1.
Cache-Control: max-age=0.
Shib-Cookie-Name: .
Shib-Session-ID: .
Shib-Session-Index: .
Shib-Identity-Provider: .
Shib-Authentication-Method: .
Shib-Authentication-Instant: .
Shib-AuthnContext-Class: .
############
T 127.0.0.1:8003 -> 127.0.0.1:44163 [AP]
[Response follows]
The X-Scheme, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server, and
Connection headers have been removed.
This has been asked before
(https://groups.google.com/forum/#!topic/shibboleth-users/Zf6FxQ_MXo8)
but I fail to understand the conclusions.
I'm using Debian jessie with its prepackaged stuff: Apache 2.4.10 and
Shibboleth SP 2.5.3.
More information about the users
mailing list