Umbrella SP behind reverse proxy using nginx

Jozef Misutka misutka at
Tue Feb 13 12:07:34 EST 2018

Dear all,
we have been running a service provider with nginx for years but now we 
want to change the setup and I would like to hear your experience.

The publicly accessible machine will be a simple load balancer/reverse 
proxy with nginx running e.g., *vm-front*.
There are many services with some protected by Shibboleth running on 
different virtual machines e.g., *vm-service1, vm-service2 *proxied from 
One internal virtual machine e.g., *vm-shib* would be dedicated for 
Shibboleth again proxied from vm-front.

The difference to the current setup is that Shibboleth will not be 
running on vm-front anymore but on an internal dedicated virtual machine 
(not publicly accessible but with internet access).

Current nginx configuration:

    291   # FastCGI authorizer for Auth Request module
    292   location = /shibauthorizer {
    293     internal;
    294     include fastcgi_params;
    296     fastcgi_pass;
    297   }
    299   # FastCGI responder
    300   location /Shibboleth.sso {
    301     include fastcgi_params;
    303     fastcgi_pass;
    304   }
    306   # Resources for the Shibboleth error pages
    307   location /shibboleth-sp {
    308     alias /opt/shibboleth-sp-fastcgi/share/shibboleth/;
    309   }

With some services protected like this

       location = /clarin-sp-aggregator/aa-statistics.php {
         include shibboleth_auth;
         include process_php;

where the important parts of shibboleth_auth being

    shib_request /shibauthorizer;
    shib_request_use_headers on;

For the record, we also use various RequestMaps

       <RequestMapper type="XML">
             <Host name=""
               <Path name="services">

Has anyone experience with the desired setup and is there anything we 
should be aware of?

Thank you all.

Jozef Misutka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list