Shibboleth and Apache Http config for 2 nodes and one Load balancer architecture.

Peter Schober peter.schober at
Fri Aug 24 18:06:15 EDT 2018

* gori.kaushik <gori.kaushik at> [2018-08-21 11:02]:
> I am able to configure the two single nodes and they are working
> perfectly fine with shib.conf that I've done. But no luck when I am
> trying to use my LB VirtualHost for the same. It seems it doesn't
> know what to do once authentication is done.

Could you try to explain in a bit more detail what it is you want to
achieve (and possibly why)? Your config doesn't make much sense to me
as it is so guessing and working backwards from that is prone to
errors and misunderstandings.

E.g. you seem to have HTTPS and HTTP configured on the "nodes" but
only plain HTTP on the "loadbalancer"? Also you're proxying to the
protected resource (another web server running on localhost:8080) from
both the "node" webserver as well as fron the "loadbalancer". This
only makes sure that noone will understand what you mean with
Also I'd never enable shib protection on any plain-HTTP vhost,
plain-HTTP vhosts should solely be used for redirecting to HTTPS these
days, IMO, and there's also the issue of IDP(HTTPS) --POST--> SP(HTTP)
which results in security warnings.

Finally, what runs on localhost:8080? The Shibboleth documentation
does not recommend HTTP proxying. (Of course sometimes there are no
better alternatives.) And why would you need shib-protection in the
"node" vhost as well as on the "loadbalancer" vhost?


More information about the users mailing list