Umbrella SP behind reverse proxy using nginx

Jozef Misutka misutka at ufal.mff.cuni.cz
Tue Feb 13 12:07:34 EST 2018 

Dear all,
we have been running a service provider with nginx for years but now we 
want to change the setup and I would like to hear your experience.

The publicly accessible machine will be a simple load balancer/reverse 
proxy with nginx running e.g., *vm-front*.
There are many services with some protected by Shibboleth running on 
different virtual machines e.g., *vm-service1, vm-service2 *proxied from 
vm-front.
One internal virtual machine e.g., *vm-shib* would be dedicated for 
Shibboleth again proxied from vm-front.

The difference to the current setup is that Shibboleth will not be 
running on vm-front anymore but on an internal dedicated virtual machine 
(not publicly accessible but with internet access).

Current nginx configuration:

    291   # FastCGI authorizer for Auth Request module
    292   location = /shibauthorizer {
    293     internal;
    294     include fastcgi_params;
    296     fastcgi_pass 127.0.0.1:12344;
    297   }
    298
    299   # FastCGI responder
    300   location /Shibboleth.sso {
    301     include fastcgi_params;
    303     fastcgi_pass 127.0.0.1:12345;
    304   }
    305
    306   # Resources for the Shibboleth error pages
    307   location /shibboleth-sp {
    308     alias /opt/shibboleth-sp-fastcgi/share/shibboleth/;
    309   }

With some services protected like this

       location = /clarin-sp-aggregator/aa-statistics.php {
         include shibboleth_auth;
         include process_php;
       }

where the important parts of shibboleth_auth being

    shib_request /shibauthorizer;
    shib_request_use_headers on;


For the record, we also use various RequestMaps

       <RequestMapper type="XML">
           <RequestMap>
             <Host name="lindat.mff.cuni.cz"
                   authType="shibboleth"
                   requireSession="true"
                   exportAssertion="true"
                   redirectToSSL="443">
               <Path name="services">


Has anyone experience with the desired setup and is there anything we 
should be aware of?

Thank you all.

Regards,
Jozef Misutka
LINDAT/CLARIN
http://lindat.cz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180213/52ed7145/attachment.html>

More information about the users mailing list