Shibboleth 3 attributes not exposed from Apache 2.4 as environment variables

Peter Schober peter.schober at
Sun Dec 15 07:39:11 EST 2019

* vasileios.koukoutsas at <vasileios.koukoutsas at> [2019-12-14 17:43]:
> You mentioned I do not use https for the following snippet:

No, the point of me saying:

> You're telling httpd to proxy via HTTP here (but you can't transfer
> environment variables over HTTP).

was not about HTTP vs. HTTPS, but that you're using the HTTP protocol
here (whether wrapped in SSL or not is immaterial here) to communicate
with Tomcat. And that you cannot transfer environment variables from
httpd processes to Java that way, as the documentation states.

(I also think that using SSL to talk to processes on localhost is
pointless but that's not the issue here either.)

> Is something missing? as far as I know using https in ProxyPass and
> ProxyPassReverse will only redirect using https
> Currently if I try to access my webapp or any resource under Apache
> I can only do it using https. http requests are automatically
> redirected to https.

Redirect in HTTP means telling the client to go elsewhere (commonly
using a 30x status code and a Location HTTP Response Header), that's
not what should be happening here.

> If I have understood correctly I need both an https and an ajp
> connectors (in Java backend) & their respective proxies in Apache.
> The https connector running on port 10050 is used to server the web
> content and the sole purpose of the ajp (port 8009) connector is to
> have access to the attributes exposed by apache as environment
> variables.

Understood what correctly, specifically? But no, that's not correct.
Like I already said all you need is an AJP connector in Tomcat (and no
HTTP or HTTPS connectors at all) and one ProxyPass(Reverse) in httpd
using mod_proxy_ajp.

> I though that if you only use an https connector then you can only
> fetch the attributes through the headers, which is strongly
> recommended against.

Yes. But the consequence of that realisation should not be to use an
HTTPS connector /plus/ an AJP connector when /only/ an AJP connector
can do it all.

> Is there maybe a suggested configuration example from Shibboleth?

If that is it's in the documentation.
If it's not it will look like your ajp:// proxying example *without*
also trying to proxy the same request via HTTP (or HTTPS) as well.


More information about the users mailing list