CAS insecure box behind a reverse proxy
54 views
Skip to first unread message
Mickaël
Dec 16, 2019, 1:08:09 PM12/16/19
to CAS Community
Hi,
I am running CAS 5.3.X on a Tomcat 8 with Apache in frontal and AJP.
since several weeks, I have AJP timeout in error.log without any more raison.
My idea is to use Apache in proxy HTTP and not AJP. Apache have certificate for the TLS connection.
But I am trying different configuration without success and the yellow box with the advertising about the none secure protocole does not want to disappear.
If somebody have any idea.
Sincerely, Mickaël
I am running CAS 5.3.X on a Tomcat 8 with Apache in frontal and AJP.
since several weeks, I have AJP timeout in error.log without any more raison.
My idea is to use Apache in proxy HTTP and not AJP. Apache have certificate for the TLS connection.
But I am trying different configuration without success and the yellow box with the advertising about the none secure protocole does not want to disappear.
If somebody have any idea.
Sincerely, Mickaël
Ray Bon
Dec 16, 2019, 1:17:45 PM12/16/19
to cas-...@apereo.org
Mickaël,
What is the AJP error?
You may have to turn up logging in apache and tomcat.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Mickaël
Dec 17, 2019, 2:31:05 AM12/17/19
to CAS Community
Ray,
Thanks for answer.
The Apache error :
[Mon Dec 16 20:10:23.636950 2019] [proxy_ajp:error] [pid 24997:tid 139694717187840] (70007)The timeout specified has expired: AH01030: ajp_ilink_receive() can't receive header
[Mon Dec 16 20:10:23.637062 2019] [proxy_ajp:error] [pid 24997:tid 139694717187840] [client XXX.XXX.XXX.XXX:38794] AH00992: ajp_read_header: ajp_ilink_receive failed, referer: XXXXXXXX
[Mon Dec 16 20:10:23.637092 2019] [proxy_ajp:error] [pid 24997:tid 139694717187840] (70007)The timeout specified has expired: [client XXX.XXX.XXX.XXX:38794] AH00878: read response failed from 127.0.0.1:8009 (127.0.0.1), referer:XXXXXXX
[Mon Dec 16 20:10:23.637062 2019] [proxy_ajp:error] [pid 24997:tid 139694717187840] [client XXX.XXX.XXX.XXX:38794] AH00992: ajp_read_header: ajp_ilink_receive failed, referer: XXXXXXXX
[Mon Dec 16 20:10:23.637092 2019] [proxy_ajp:error] [pid 24997:tid 139694717187840] (70007)The timeout specified has expired: [client XXX.XXX.XXX.XXX:38794] AH00878: read response failed from 127.0.0.1:8009 (127.0.0.1), referer:XXXXXXX
Ray Bon
Dec 17, 2019, 12:59:33 PM12/17/19
to cas-...@apereo.org
There is an answer here,
https://serverfault.com/questions/655362/mod-proxy-ajp-70007the-timeout-specified-has-expired-ajp-ilink-receive-can
It does not look like we have setting, but it may help.
Ray
Mickaël
Dec 17, 2019, 2:20:56 PM12/17/19
to cas-...@apereo.org
Ray,
I already tried this but it doesn't solve the problem, I have the same error.
Mickaël
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ef701b840d898862ce7ad5bce4e51abfe3f1094.camel%40uvic.ca.
Mickaël
Dec 19, 2019, 11:20:09 AM12/19/19
to CAS Community
Hello,
I have follow this : https://apereo.github.io/2018/01/05/cas-deployment-with-proxy/
server.port=8080
server.ssl.enabled=false
cas.server.http.enabled=false
cas.server.httpProxy.enabled=true
cas.server.httpProxy.secure=true
cas.server.httpProxy.scheme=https
cas.server.httpProxy.protocol=HTTP/1.1
server.ssl.enabled=false
cas.server.http.enabled=false
cas.server.httpProxy.enabled=true
cas.server.httpProxy.secure=true
cas.server.httpProxy.scheme=https
cas.server.httpProxy.protocol=HTTP/1.1
Somebody has a great idea for me please ? :o)
Mickaël
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Ray Bon
Dec 19, 2019, 12:55:24 PM12/19/19
to cas-...@apereo.org
Mickaël,
Could this be related to self signed certificates?
You may have to install the certificate in the java keystore,
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
Java will reject unknown certificates, before they get to your app or tomcat, and there is often no indication.
Ray
Mickaël
Dec 20, 2019, 9:31:45 AM12/20/19
to CAS Community
Ray,
I finally solved my problem by adding secure="true" in my Tomcat Connector which is used by Apache with proxyHttp.
Have a good week-end and thanks for your help.
Mickaël
2507218831 | CLE 019 | r...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ef701b840d898862ce7ad5bce4e51abfe3f1094.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages