Shibboleth SP in front of HA-Proxy in http mode

Peter Schober peter.schober at
Mon Sep 10 06:20:17 EDT 2018

* Jakub Danek <jakub.danek at> [2018-09-10 11:24]:
> > Personally I think it should be possible to access Tomcat via AJP from
> > the front-end httpd+shib even if Tomcat runs in OpenShift with a
> > dynamic IP address, as you're seemingly already able to access that
> > same service over HTTP (even if that involves several layers of
> > indirection via several HTTP proxies): *Something* has to know the
> > current IP address Tomcat runs at, either from dynamic service
> > discovery or some form of scripting. Using more automation I guess the
> > relevant config snippet for httpd (where to point mod_proxy_ajp to)
> > could also be updated and httpd reloaded dynamically.
> Openshift does not expose ports or IP addresses of individual pods by
> default - it uses haproxy and own internal DNS for domain-based routing
> (public DNS basically points a wildcard subdomain to the Openshift router
> which then routes to individual services based on the actual full domain).

I imagine pointing httpd at the internal DNS name for Tomcat will not
give sufficiently timely updates should Tomcat be redeployed, with
TTLs, client-side caching, etc.

But even if you have no hooks of any kind to trigger other actions
based on changes in Tomcat's deployment getting the right IP address
from haproxy and copying it into an included httpd config snippet (and
reload httpd on change) still seemed a rather simple workaround.


More information about the users mailing list