multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at labvantage.com
Sat May 30 23:03:43 EDT 2015


Well I tried again, and I still don’t understand


What I have

I have a cluster of two JBOSS EAP 6.2.0 nodes, with our commercial web application, that has been modified by our development team to interact with SP. The primary protected location is a login.jsp in the context. Two systems, Node2 and Node3

On each is also loaded JBOSS EWS 2.0 with mod_cluster to handle the ajp to JBOSS interaction. Both mod_clusters talk to both jboss's for HA, resilience, and load sensitivity. EWS is in worker mode.

On each EWS2.0 Shib has also been loaded. EWS is dedicated for this purpose and also has the root context, save for Shibboleth specific location directives, forwarded on to mod_cluster.

Finally I have an firewall pointing to an Apache box (native RHEL 6.6 apache package) to LB inbound http traffic running mod_proxy_balance. Mimicking what an F5 BigIP or some other load balancer may do. Node1, This is dedicated and balances traffic for the root context /, stick is enabled, and ProxyPassReverse directives are in place.

Now I have made the canonical mods and the servername mods for the fqdn of the standalone proxy, Node1.company.com.

All traffic is http only and flows via the apache proxy, Node1. Only Node1 has a public registration and a firewall opening on port 80.

shib has identical keys and identity and all entries in shibboleth2.xml point at the fqdn of the proxy, Node1.company.com, I have the relayState set to cookie.


If I turn off Shibd, and disable it in the application, all is well.


If I only run shibd and httpd(ews) on one of the nodes, all is well, and shibolleth works as expected. Mod_cluster even balances traffic amongnst the multiple active jboss instances in the backend on both node2 and node3. This of course introduces a single point of failure.

All of our clusters run a combo of JBOSS EAP and EWS with mod_cluster on every node to ensure a seamless user experience. This is identical behaviour and setup if we use WebSphere with IHS, or WebLogic with OHS. Of course loading shib as a module seems to be much simpler then, as we require that redundant web tier.

If I start both shibd and httpd(ews) I always get the testshib login so idp redirect works fine, and on return I get looping bahaviour. Sometimes it gets in and I get to the application, other times, I get a proxy error from too many loops.

I read NativeSPClusteringByProxy It seems to indicate that I need to create unique per node login pages, but the pages are not on apache, and there is no way for Jboss to decide which mod_cluster will serve the login from which available deployment of the application. I also dont understand any of the rewrites, if they are attempting to recode cookies, or attempting to alter the URL and replace a single login with host unique logins. The application is clustered by design, in very large implementations on n-many instances so setting up host specific login pages is not at all practical. Again, perhaps I just don’t understand what NativeSPClusteringByProxy is trying to do.

I expect that a thought might be that the stick just might not be working, but I can see that the looping is visible in the access logs of the apache on the SP, GET, POST, GET ,POST. That would tell me that the stick is working. I was tailing the access logs while both were running and I see traffic looping only on one node. So Node2 gets the request, and the proxy sends the post back to Node2, but something with it is wrongs, and round and round we go. That tells me that the stick from the top level proxy, node1, is working. I have no evidence that a given shib session is bouncing between the two nodes with SP.

Any ideas from anyone are welcome.


William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs

-----Original Message-----
From: Musil, William 
Sent: Sunday, May 24, 2015 9:19 PM
To: Shib Users; Cantor, Scott
Subject: RE: multiple sp hosts behind a firewall/proxy etc

Actually ss:mem is better, for me, for now. :-D


I really don’t want or need to be an SME expert in shibboleth right now, nor use fiddler to figure it out.

We know the cookies are the problem, but I am lucky that our webapp implementation is the one and only application context available. We require dedicated JVMs, and the apache layer where shib is loaded is also dedicated to that jvm, we require it in clusters for the application server connector. JBoss-EAP and JBoss-EWS, or WebSphere and IHS, or WebLogic and OHS.

So, I just change the default landing page to refresh to my top level context, and put back ss:mem.


Works now. 


I am sure that this wont work for the other protected locations, but I can revisit the cookie issue with our development team and let them figure it out.



Thank you so much Scott for your repeated prompt responses. You were a huge help. 

The proof of concept is running with a few glitches that I can live with for the weekend.




William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Sunday, May 24, 2015 6:50 PM
To: Cantor, Scott; Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

RelayState set to "cookie", worse - mad looping.

GET, POST, GET, POST and on and on.

Reading through the diagnosis possibilities. 

Maybe ss:mem is not so bad after all :-D

I have also set cookieProps = "http" as I am not using SSL for this proof of concept. It didn’t help.



William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2 at osu.edu] 
Sent: Sunday, May 24, 2015 5:35 PM
To: Musil, William; Shib Users
Subject: Re: multiple sp hosts behind a firewall/proxy etc

On 5/24/15, 5:27 PM, "Musil, William" <wmusil at labvantage.com> wrote:
>
>Now that I am using the proxy config as suggested, the redirect after success just sends me back to the root of the site, dropping the context. I am protecting /CR/rc/login. Instead of redirecting me to the http://proxy/CR/rc/login after talking to the idp, it sends me to http://proxy.

The default relay state mechanism is in-memory, so if you're switching systems mid-stream, it's not going to work. Change it to use a cookie and you can make that work even if the relay state is set on a different SP instance from the one that handles the response.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list