Umbrella SP behind reverse proxy using nginx

Peter Schober peter.schober at
Tue Feb 13 12:55:08 EST 2018

Hi Jozef,

* Jozef Misutka <misutka at> [2018-02-13 18:08]:
> The publicly accessible machine will be a simple load balancer/reverse proxy
> with nginx running e.g., *vm-front*.
> There are many services with some protected by Shibboleth running on
> different virtual machines e.g., *vm-service1, vm-service2 *proxied from
> vm-front.
> One internal virtual machine e.g., *vm-shib* would be dedicated for
> Shibboleth again proxied from vm-front.
> The difference to the current setup is that Shibboleth will not be running
> on vm-front anymore but on an internal dedicated virtual machine (not
> publicly accessible but with internet access).

OK, so you have the reverse proxy (RP), a reverse-proxied Shibboleth
Service Provider (SP) and several reverse-proxied services (S1..Sn)?

Then how is the SP supposed to protect resources on S1 when it doesn't
see requests to those, and is not involved with access control at RP
Access to S1 would go through RP and be proxied to S1 directly without
invoking the SP. Likewise a valid session at SP would not cover access
to S1..Sn through RP, AFAIU.

So I probably don't understand what you're suggesting.

See also


More information about the users mailing list