SP is not using X-Forwarded-For behind load balancer
Jeffrey Crawford
jeffreyc at ucsc.edu
Thu Mar 15 15:09:44 EDT 2018
I'm trying to move away from using consistentAddress="false" and
checkAddress="false" in our shibboelth config behind a load balancer.
I'm having a bit if trouble getting the sp v 2.6.1 to use X-Forwarded-For
ip address for it's session instead of the LB ip address. I feel like I'm
missing some glue between what Apache sees and what is forwarded to the
shibd process. what I've got so far:
Log entry from http logs showing I am receiving X-Forwarded-For
# [15/Mar/2018:11:55:13 -0700] 10.131.128.43 X-Forwarded-For: 128.114.83.84
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 "POST /grouper/grouperUi
/app/UiV2Main.indexMain HTTP/1.1" 33851
apache conf file entry:
<Location /grouper>
AuthType shibboleth
ShibCompatWith24 On
ShibUseEnvironment On
ShibRequestSetting requireSession 1
ShibRequestSetting REMOTE_ADDR X-Forwarded-For
Require shib-attr isMemberOf
cn=usr,ou=path,ou=to,ou=group,ou=groups,dc=ucsc,dc=edu
</Location>
Result of the shibd log pinning the session to the LB:
# 2018-03-15 11:55:13 INFO Shibboleth.SessionCache [2]: new session
created: ID (_2d195a7d3676f4cf0eb11d8539a3d136) IdP (
https://test-idp.ucsc.edu:8443/idp/shibboleth)
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (10.131.128.43)
Any pointers welcome
Thanks
Jeffrey Crawford
Enterprise Service Team <jeffreyc at ucsc.edu>
^ ^
/ \ ^ / \ ^
/ \/ \ / \ / \
/ \/ \/ \
/ \
You have been assigned this mountain to prove to others that it *can* be
moved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180315/7cd762bf/attachment.html>
More information about the users
mailing list