CAS 5.2.0 How to configure cas in that way so that it listen to HTTP?
2,118 views
Skip to first unread message
casuser
Dec 13, 2017, 11:50:59 PM12/13/17
to CAS Community
There is a load balancer in between the user and the CAS . The
load balancer will check allow the SSL certificate. But from the load balancer to the CAS the connection will be HTTP.
How to configure cas in that way so that it listen to HTTP?
I have tried this in my cas.properties but didn't solve my problem:
I do have the warning:
"Non-secure Connection You are currently accessing CAS over a non-secure connection. Single
Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS." but the warning still remains.
Cristina Vlaicu
Dec 14, 2017, 1:55:20 AM12/14/17
to cas-...@apereo.org
Hello,
I had configured https on the application server. I had nothing to configure in CAS properties.
Thank you,
Cristina
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0fa53de5-dc4e-42c8-ba3f-04e107a36aa5%40apereo.org.
casuser
Dec 14, 2017, 2:13:26 AM12/14/17
to CAS Community
Thank you Cristina,
Actually what I meant was lets say https://example.com will go to a load balancer and it will check the ssl and provide the ssl certificate then it will go to CAS. I want to configure CAS in a way so that it doesn't need to check for the ssl because from the load balancer there will be a http connection will go to CAS and if CAS finds it as HTTP Single Sign On WILL NOT WORK. So I need to configure CAS so that it listen to HTTP for the Single Sign On to work. Is there a way to achieve that?
Best Regards,
FAZLA
Actually what I meant was lets say https://example.com will go to a load balancer and it will check the ssl and provide the ssl certificate then it will go to CAS. I want to configure CAS in a way so that it doesn't need to check for the ssl because from the load balancer there will be a http connection will go to CAS and if CAS finds it as HTTP Single Sign On WILL NOT WORK. So I need to configure CAS so that it listen to HTTP for the Single Sign On to work. Is there a way to achieve that?
Best Regards,
FAZLA
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Doug Campbell
Dec 14, 2017, 2:31:03 AM12/14/17
to cas-...@apereo.org
This may not be what you are working for or it might be different in 5.2.0 or it is possible I am forgetting something else but I believe all I did is the following:
Configure CAS to only listen on port 8080
Edit cas.properties and add the following lines:
# configure CAS to only listen for non-SSL traffic on port 8080
server.port=8080
server.ssl.enabled=false
Doug
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e2dc1f6-b27e-4f1f-9fad-bb973a2b2a4f%40apereo.org.
Robert Oschwald
Dec 14, 2017, 2:37:35 AM12/14/17
to cas-...@apereo.org
I strongly recommend to not use the approach you try to configure. Connection between the LB and CAS Servers should be encrypted as well.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1e2dc1f6-b27e-4f1f-9fad-bb973a2b2a4f%40apereo.org.
casuser
Dec 14, 2017, 2:53:43 AM12/14/17
to CAS Community
Thanks Doug for the reply,
I have tried this configuration but I am still getting the same warning "You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK."
server.port=8080
server.ssl.enabled=false
FAZLA
I have tried this configuration but I am still getting the same warning "You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK."
server.port=8080
server.ssl.enabled=false
FAZLA
casuser
Dec 14, 2017, 2:59:11 AM12/14/17
to CAS Community
Thank you for the recommendation. Currently this is the existing system we have. We will try to follow your recommendation but for that we need some time, Right now if there is a way to configure CAS server to listen to HTTP?
Doug Campbell
Dec 14, 2017, 3:21:58 AM12/14/17
to cas-...@apereo.org
I’m curious what you have for your cas.server.name and cas.server.prefix properties. They are the https address of your load balancer, right?
Another thing I realize that might be different is that I am not currently using a load balance but just using Nginx to proxy all web requests including CAS. As a result I do have the following settings for the location in Nginx
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
I wonder if you need to try something similar in your setup.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/59bfb03e-3b35-4a73-8b38-e063b7adce86%40apereo.org.
casuser
Dec 14, 2017, 4:14:30 AM12/14/17
to CAS Community
Yes Right now I have :
cas.server.name: http://localhost:8080
cas.server.prefix: http://localhost:8080/cas
in the cas.properties.
FAZLA
cas.server.name: http://localhost:8080
cas.server.prefix: http://localhost:8080/cas
in the cas.properties.
FAZLA
Doug Campbell
Dec 14, 2017, 4:17:43 AM12/14/17
to cas-...@apereo.org
Yeah. So in my cas I had to change this to match my Nginx proxy so I am guessing in your case if you change these to your load balancer that will help things a little bit.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/af9afc61-befc-41e7-8843-e31afb246b7f%40apereo.org.
casuser
Dec 14, 2017, 4:28:32 AM12/14/17
to CAS Community
Yeah well I wish there was another way though. Will keep on looking for an alternative, if not then I will have to do something like this.
Jozef Kotlar - EEA.sk
Dec 15, 2017, 9:20:48 AM12/15/17
to CAS Community
I think you should leave cas.server.httpProxy.secure=true, this is actually setting on container connector the CAS is checking.
Jozef
casuser
Dec 18, 2017, 9:46:37 PM12/18/17
to CAS Community
Hello Jozef that's my current configuration:
cas.server.httpProxy.enabled=true
cas.server.httpProxy.secure=true
cas.server.httpProxy.protocol=AJP/1.3
cas.server.httpProxy.scheme=http
cas.server.httpProxy.redirectPort=8080
cas.server.httpProxy.proxyPort=8080
cas.server.httpProxy.attributes.attributeName=attributeValue
Jozef Kotlar - EEA.sk
Dec 19, 2017, 11:46:07 AM12/19/17
to CAS Community
And? That doesn't work?
It was just my guess. I am actually using another configuration to proxy standalone CAS behind Apache HTTP Server . Following configuration allows me to define both AJP (for proxying) and HTTP (for local monitoring) ports.
$ cat /etc/cas/config/application.yml
info:
description: CAS Configuration
# Embedded tomcat
cas.server:
http:
enabled: true
port: 8480
ajp:
secure: true
enabled: true
proxyPort: 443
scheme: https
port: 8409
Pedro Rosas
Oct 4, 2018, 7:37:39 AM10/4/18
to CAS Community
Hi all,
I'm currently building a cas-overlay instance (based on CAS 5.3.3) that will be deployed to a standalone Tomcat 9 server.
Our production environment will have a load balancer that will offload the SSL certificates.
Between the load balancer and the Tomcat server communication will be using HTTP only.
So, we want to have CAS running on http ONLY.
On my development machine, I have it running on http.
If I navigate to the login page "http://localhost:8080/cas-overlay/login?service=https://www.example.org" everything seems to be working fine.
Typing the correct credentials, gets me redirected to the example.org domain with a ticket as a GET parameter "https://www.example.org/?ticket=ST-1-kP1yT6Q8VVBPlpi0NEBWi7mV0gUL-BR-PEDROR01"
But... if I navigate to the standard login page "http://localhost:8080/cas-overlay/login" the page includes the "Non-Secure Connection" warning - "You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS."
What does it mean that single sign on WILL NOT WORK?
Am I missing something, or is my setup running fine?
Can I simply safely ignore the warning?
Thanks.
Best Regards,
Pedro Rosas
Ray Bon
Oct 4, 2018, 1:09:43 PM10/4/18
to cas-...@apereo.org
Pedro,
Why?
Setting up certificates, even self signed ones, is painless. There is plenty of documentation (some on CAS site).
Other aspects of CAS, such as proxying, require https.
Ray
-- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | rb...@uvic.ca
Pedro Rosas Silva
Oct 4, 2018, 1:44:05 PM10/4/18
to cas-...@apereo.org
Well, it's more of a company IT requirement rather than a desirable approach.
I just wanted to find out what are the features that we could miss by not having CAS running on https.
Is there any place listing the HTTPS ONLY features?
Nevertheless, I'll try to push the option of having it running on HTTPS.
Thanks.
Best Regards,
Pedro Rosas
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/aey5xVaTLGI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538672971.2852.10.camel%40uvic.ca.
Abraço,
Pedro Rosas
Pedro Rosas
Dmitriy Kopylenko
Oct 4, 2018, 2:33:05 PM10/4/18
to cas-...@apereo.org
This might help: https://apereo.github.io/cas/5.3.x/planning/Security-Guide.html#secure-transport-https
Cheers,
D.
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAHjSeeuoTFtsY7B%3DO_FiMj2LT%3DBhyOhAp6%2Bnj%3D03P-VPxk-RfQ%40mail.gmail.com.
Jozef Kotlár
Oct 5, 2018, 4:23:08 AM10/5/18
to cas-...@apereo.org
Hello,
for testing purposes you have to emulate your load balancer, using httpd or nginx, or any other tool and point your CAS client in example.org to that HTTPS URL.
I am usually using for testing generated certificate for https://localhost.localdomain and locally deployed CAS protected service from https://github.com/cas-projects/cas-sample-java-webapp
Jozef
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/aey5xVaTLGI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b225a201-5aad-41db-b65c-5783ea4838eb%40apereo.org.
Reply all
Reply to author
Forward
0 new messages