Solved: Apache as reverse proxy: "ShibUseHeaders On" strips some headers

Antonis Christofides anthony at itia.ntua.gr
Mon May 25 06:20:57 EDT 2015 

Sorry, this had nothing to do with Shibboleth. In fact, no headers were
actually being stripped (they were just being re-ordered). It was just
that with "ShibUseHeaders On" Shibboleth adds a large number of headers,
and the way I was sniffing the traffic (ngrep with an unfortunate
argument) was capturing only the first few headers (probably because the
request was broken in many TCP packets).



On 2015-05-22 14:50, Antonis Christofides wrote:
> Hello,
> 
> The subject more or less says everything. With "ShibUseHeaders Off", I
> sniff the communication between apache and the backend and I get this:
> 
>     T 127.0.0.1:36655 -> 127.0.0.1:8003 [AP]
>     GET /antonis/ HTTP/1.1.
>     Host: www.itia.ntua.gr.
>     User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0.
>     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
>     Accept-Language: en-US,en;q=0.5.
>     Accept-Encoding: gzip, deflate.
>     Cookie: vl_lang=en; csrftoken=[snipped]; sessionid=[snipped]; lang=2.
>     DNT: 1.
>     Cache-Control: max-age=0.
>     X-Scheme: https.
>     X-Forwarded-For: 2001:648:2000:a0:cd5f:6ed4:99e2:e87c.
>     X-Forwarded-Host: www.itia.ntua.gr.
>     X-Forwarded-Server: www.itia.ntua.gr.
>     Connection: close.
>     .
> 
>     ####
>     T 127.0.0.1:8003 -> 127.0.0.1:36655 [AP]
>     [Response follows]
> 
> But when I specify "ShibUseHeaders On" instead, I get this:
> 
>     T 127.0.0.1:44163 -> 127.0.0.1:8003 [AP]
>     GET /antonis/ HTTP/1.1.
>     Host: www.itia.ntua.gr.
>     User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0.
>     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
>     Accept-Language: en-US,en;q=0.5.
>     Accept-Encoding: gzip, deflate.
>     Cookie: vl_lang=en; csrftoken=[snipped]; sessionid=[snipped]; lang=2.
>     DNT: 1.
>     Cache-Control: max-age=0.
>     Shib-Cookie-Name: .
>     Shib-Session-ID: .
>     Shib-Session-Index: .
>     Shib-Identity-Provider: .
>     Shib-Authentication-Method: .
>     Shib-Authentication-Instant: .
>     Shib-AuthnContext-Class: .
> 
>     ############
>     T 127.0.0.1:8003 -> 127.0.0.1:44163 [AP]
>     [Response follows]
> 
> The X-Scheme, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server, and
> Connection headers have been removed.
> 
> This has been asked before
> (https://groups.google.com/forum/#!topic/shibboleth-users/Zf6FxQ_MXo8)
> but I fail to understand the conclusions.
> 
> I'm using Debian jessie with its prepackaged stuff: Apache 2.4.10 and
> Shibboleth SP 2.5.3.

More information about the users mailing list