CAS-5.3.2 default service url behind nginx

634 views
Skip to first unread message

James Q

unread,
Jul 31, 2018, 1:42:49 AM7/31/18
to CAS Community
Hello,

I configure an app to the cas successfully.
I configure the cas.view.defaultRedirectUrl=http://localhost:8080/app

2. input username and password
It works good on the same tomcat.

Then I separate to 3 servers: proxy_server, app_server and cas_server. 
Each server was installed the nginx.

1. proxy_server's nginx proxy app_server and cas_server's nginx
2. app_server's nginx proxy app
3. cas_server's nginx proxy cas

Each nginx conf is all the same, like this:
proxy_server' nginx conf

    location /cas {
        proxy_pass  http://cas_server/cas;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

    location /app {
        proxy_pass  http://app_server/app;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

Setp:
2. input username and password
This was wrong. it still need input username and password.

4. but input username and password again, it redirect http://proxy_server/app

Question:
1. After login successfully, it should redirect into http://proxy_server/app
2. But it redirect to the login page again. 

How to config nginx?
It doesn't work.

And I search it should add ngx_headers_more module to nginx for location?
Any ideas?

Thanks.

Ray Bon

unread,
Jul 31, 2018, 11:45:59 AM7/31/18
to cas-...@apereo.org
James,

If you have three nginx, then each one should have a different configuration. It should only be concerned with one application.
The redirecting to login will be handled by cas client, one on proxy server and one on app server.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

James Q

unread,
Jul 31, 2018, 10:03:44 PM7/31/18
to CAS Community
Hello Ray,

Yes, each nginx have a different configuration.

app_server' nginx conf:

    location /app {
        proxy_pass  http://localhost:8080/app;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

cas_server's nginx conf:

    location /cas {
        proxy_pass  http://localhost:8080/cas;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }

I think the web flow should be:

1. browse to login page http://localhost:8080/cas (http status 200)
2. input username and password
3. cas login success, and store TGC cookie on browser
4. redirect to http://localhost:8080/app (http status 302), the header is
  1. Request URL:
  2. Request Method:
    GET
  3. Status Code:
    302
  4. Remote Address:
    [::1]:8080
  5. Referrer Policy:
    no-referrer-when-downgrade
5. app is the cas client, it should use TGC to cas validate the ticket.
7. cas make a ST to client, http://localhost:8080/app/callback?ticket=ST-..... (http status 302)
8. cas validate ST successfully and app shows page. http://localhost:8080/app (http status 200)

the strange thing happened at step6.
In my desktop, I install cas and app on the same tomcat. I use chrome to trace.
The step6 is 302(redirect and validate) and step8 is http status 200(show the app page), it is right sequence.

But after nginx proxy, the step6 is 200(show the login page again), the sequence stoped, and didn't have step7 and step8.
I watch the chrome network the step4 header is
  1. Request URL:
  2. Request Method:
    GET
  3. Status Code:
    302 Found
  4. Remote Address: X.X.X.X
    :80
  5. Referrer Policy:
    no-referrer-when-downgrade
The step4 difference is:
locathost status code is "302", but proxy_server status code is "302 Found" then next step6 is wrong sequence.
I don't know what is the difference between "302" and "302 Found" and didn't search it out.

So how to config nginx to fix this?

Thanks.

Ray Bon

unread,
Aug 1, 2018, 12:06:02 PM8/1/18
to cas-...@apereo.org
James,

It looks like proxy_server/app is not part of SSO. What does your service definition(s) look like?

Unless you have a need to have each tomcat fronted by its own nginx, you could simplify and have one nginx (instead of 3). 
In proxy_server's nginx, replace:
proxy_pass  http://cas_server/cas;
with:
etc.

I have not used the set_header options but do not think that is causing problems.

Ray

James Q

unread,
Aug 2, 2018, 8:11:45 AM8/2/18
to CAS Community
Ray,

I use one nginx to proxy app and cas as you remind and it works.

But this expose ports of app and cas server.
Still don't know why 3 nginx not work out......

What do you mean proxy_server/app is not part of SSO?

Thanks.
James.

Ray Bon

unread,
Aug 2, 2018, 12:38:23 PM8/2/18
to cas-...@apereo.org
James,

I meant that http://proxy_server/app was not registered as a service in CAS but the tomcat server was, http://localhost:8080/app.

Your ports should not be exposed but hidden within nginx config.

Ray

James Q

unread,
Aug 2, 2018, 8:59:34 PM8/2/18
to CAS Community
Hi Ray,

Thank you for your patient reply.

I think I know why.
When App and CAS under the same proxy(same domain name), they have the same TGT, and CAS can validate it.
But when use three nginxs, they are under different domain names.

So I think it's a cross domain sso.
As you said: http://proxy_server/app was not registered as a service in CAS.

Multiple domain names should be proxy webflow diagrom, not usual webflow diagrom.

I will try it out, thank you very much.

Thanks.
James.

Ray Bon

unread,
Aug 3, 2018, 12:11:44 PM8/3/18
to cas-...@apereo.org
James,

The TGT is scoped to the CAS server and is only used by CAS. Are you using certificates (https)? If they are self signed, they will have to be added to all nginx configs.
Back channel communication (like ticket validation) is done over https and both sides need to know about the other's certificates.
Multiple domain names are fine under CAS, it does not care where the service is located, only that it is registered and that it can communicate.
Proxying is done when the user logs into service A and A needs to get data from service B.

Ray

James Q

unread,
Aug 3, 2018, 9:21:58 PM8/3/18
to CAS Community
Hello Ray,

Oh~, thank you.

I'm not using certificates now.
I will try it.

Thank you again.

James

James Q

unread,
Aug 4, 2018, 5:02:00 AM8/4/18
to CAS Community
Hello Ray,

I configure the ssl on nginx.
It works for multiple domains.

Thank you for your help of these days.
You're awesome.

James
Reply all
Reply to author
Forward
0 new messages