Jetty 9.4 listening on http
Wessel, Keith
kwessel at illinois.edu
Tue Jul 16 22:08:33 EDT 2019
Correct, Scott. Apache is running on the same server as Jetty, and I'm proxying via mod_proxy to Jetty on localhost:8080. In 9.4.18, the IdP accepts authn requests. When I upgrade to Jetty 9.4.19 with no changes to my jetty base whatsoever, it suddenly starts throwing message security exceptions because the intended destination of the SAML message, localhost, doesn't match the value that the IdP is looking for which is, obviously, the sername of the test IdP cluster. So, yes, it's the server hostname that's the problem, not the client hostname. I was under the impression that http_forwarded does, in fact, handle this, but I could be way off track with that.
Barring any further suggestions, what's your process for doing a Jetty upgrade, even for a minor version like this? Do I need to do something different to my jetty_base? The one I'm using is the one you all made available for download with my minor customizations that I documented on the Wiki to use the http and http_forwarded modules.
Keith
Thanks,
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, July 16, 2019 6:44 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Jetty 9.4 listening on http
I wouldn't be going out of your way to prove they don't have a regression, it wouldn't be the first time. I upgrade entirely "hands off", so if that doesn't work, they have a problem.
To be clear: you're saying you're using the forwarded module to override the *server's* name, right, not just the client's address? It's calling itself localhost because the Host header from the proxy in the middle is localhost so it's not overriding that to virtualize its name?
I don't know how to proxy Jetty or how to override the name/port/whatever. I take it that's part of that module.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list