Shibboleth SP in front of HA-Proxy in http mode

Peter Schober peter.schober at
Mon Sep 10 04:49:53 EDT 2018

* Jakub Danek <jakub.danek at> [2018-09-10 09:34]:
> I was asking merely to confirm that the environment variables won't
> work in our scenario

4 layers of 4 different web server implementations (3 of them
proxying) for a single service certainly doesn't look pretty to me.
Securing that (to prevent header spoofing on each layer) and making
sure each layer sees the original IP address (for auditing and
debugging purposes) also seems rather involved. YMMV.

Personally I think it should be possible to access Tomcat via AJP from
the front-end httpd+shib even if Tomcat runs in OpenShift with a
dynamic IP address, as you're seemingly already able to access that
same service over HTTP (even if that involves several layers of
indirection via several HTTP proxies): *Something* has to know the
current IP address Tomcat runs at, either from dynamic service
discovery or some form of scripting. Using more automation I guess the
relevant config snippet for httpd (where to point mod_proxy_ajp to)
could also be updated and httpd reloaded dynamically.

Finally, instead of carrying forward the SAML Assertion and trying to
verify that further down the chain (as Nate suggested) you could use
mod_proxy_jwt_auth as mentioned/contributed on this list a while ago.


More information about the users mailing list