Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

Peter Schober peter.schober at
Sat Dec 14 08:40:31 EST 2019

* vasileios.koukoutsas at <vasileios.koukoutsas at> [2019-12-14 14:27]:
> In the proxy_html.conf I have added the configuration:
> ProxyRequests Off
> ProxyPass /Shibboleth.sso/* !
> ProxyPass /app/ https://localhost:10050/app/
> ProxyPassReverse /app/ https://localhost:10050/app/

You're telling httpd to proxy via HTTP here (but you can't transfer
environment variables over HTTP).

> ProxyHTMLURLMap https://localhost:10050/app/ /app/
> <Location /app/>
>    ProxyPassReverse /
>    SetOutputFilter  proxy-html
>    ProxyHTMLURLMap  /app/ /app/
>    RequestHeader    unset  Accept-Encoding
> </Location>

I don't understand the addtion of any of that but I suppse you have
reasons for including it?

> and in the sites-enabled my app-le-ssl.conf configuration is:
>     RequestHeader set X-Forwarded-Proto "https"
>     <Proxy ajp://localhost:8009>
>       Require all granted
>     </Proxy>
>     SSLProxyEngine On
>     ProxyPass /app/  ajp://localhost:8009/app/
>     ProxyPassReverse /app/ ajp://localhost:8009/app/
>     ProxyPass /Shibboleth.sso/* ! 

While that's also more verbose that what I had used in the past (I
never had to use more than ProxyPass + ProxyPass) but here you're
proxying via AJP as you should (using httpd's mod_proxy_ajp).

So I'd stop proxying via https *and* via ajp. Why have Tomcat even use
an HTTP Connector when you intend to proxy via AJP from httpd? Port
8009 should suffice.


More information about the users mailing list