Client IP via Reverse Proxy

[Colin Ryan]

Folks,

I know there's lots of info on this but I just can't seem to make it go,
it should be a no brainer...but...alas...


I'm running CAS 6.3 in a Docker Container with embedded Spring Tomcat.
In front of this is Apache2 Reverse Proxy with straight forward
ProxyPass/ProxyPassReverse configurations. CAS itself is working
completely but the CLIENT-IP in the audit logs is showing the IP of the
Reverse Proxy.

What Directives do I need in cas.properties to correct this.

from the CAS Shell I've found the:


 server.tomcat.remote-ip-header: X-FORWARDED-FOR


directive and I've tried a few other server directives from the Spring
Boot world, just can't make it work.

[Misagh]

• cas.audit.engine.alternate-client-addr-header-name=

• Request header to use to identify the client address.

  If the application is sitting behind a load balancer, the client address typically ends up being the load balancer address itself. A common example for a header here would be X-Forwarded-For to glean the client address from the request, assuming the load balancer is configured correctly to pass that header along.

-- Misagh

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c52de75b-b2ba-ac98-0a4b-6ba27f170d12%40caveo.ca.

[Misagh]

Sorry. Didn't realize you are on 6.3.x. Use:

cas.audit.alternate-client-addr-header-name=X-Forwarded-For

-- Misagh

[Colin Ryan]

Perfect, that did it.

Thanks Misagh

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGSBKkdMj_KScgpvhKoVOm1gZ6w2HKCjOog5ZiDEuXGuKnDQwg%40mail.gmail.com.

[Baba Ndiaye]

Hello guys 

I'm using Haproxy (public IP) and moodle for my backend (private IP). Now it's work nice. But when i use CAS SSO for the authentication in my url service i have the address of my backend moodle and not my frontend like this  https://mycas.example.com/cas/login?service=https%3A%2F%2Fmymoodleinterne.mydomainlocal.com%2Flogin%2Findex.php%3FauthCAS%3DCAS

my frontend url adress myhaproxy.example.com 

my moodle url address mymoodleinterne.mydomainlocal.com

i want if that my CAS use myhaproxy url and not mymoodleinterne

[Ray Bon]

Baba,

This sounds like Haproxy config issue. Perhaps that user list could help.

Ray

On Mon, 2022-06-13 at 03:06 -0700, Baba Ndiaye wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Baba Ndiaye]

root@srv-CAS-2:/var/log/cas# tail -f cas_audit.log
WHAT: {service=https:// mymoodleinterne.mydomainlocal.com/login/index.php?authCAS=CAS, return=ST-6-uhIj2avGSKcabZjLUZLyESI6pCg-srv-CAS-2}
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Jun 13 15:48:08 UTC 2022
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

also can i have the real ip address for client and server (i installed nginx for proxy https://mycas.example.com:8443/cas to https://mycas.example.com )

[Baba Ndiaye]

i fixed my last message now