Apache/Tomcat
36 views
Skip to first unread message
Lionel Samuel
Apr 17, 2018, 12:26:37 AM4/17/18
to CAS Community
Hello All:
Our University will be installing CAS, and are currently looking at installing CAS in Tomcat, and proxying connections via Apache HTTP (fall on same server).
The rationale is that Tomcat is never directly exposed, so the proxying via Apache HTTP offers a measure of added cocooning.
Has anyone done the same? We don't want to be trailblazers or over-engineer.
Our University will be installing CAS, and are currently looking at installing CAS in Tomcat, and proxying connections via Apache HTTP (fall on same server).
The rationale is that Tomcat is never directly exposed, so the proxying via Apache HTTP offers a measure of added cocooning.
Has anyone done the same? We don't want to be trailblazers or over-engineer.
michael kromarek
Apr 17, 2018, 2:01:17 AM4/17/18
to cas-...@apereo.org
This is currently how I have my CAS 5.2 install setup. We use Apache as the SSL handler because it is usually more up to date cipher wise than Tomcat. The setup isn't too difficult, you just need to enable mod_proxy, mod_proxy_html, rewrite, and ssl in apache. Then you want to create a vhost like the one attached with your values plugged in.
After that you want to let tomcat know that you're using a proxy by setting up your connector like so in server.xml:
After that you want to let tomcat know that you're using a proxy by setting up your connector like so in server.xml:
<Connector port="8080" protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000"
URIEncoding="UTF-8"
server="Apache"
address="127.0.0.1"
maxThreads="150"
proxyPort="443"
proxyName="<your server fqdn here>"
scheme="https"
secure="true"/>
you also want to setup a valve for your proxy setup in server.xml. Put your servers IP in the regex for internalProxies
<!-- Get client IP from proxy -->
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127\.0\.0\.1|10\.0\.0\.23"
remoteIpHeader="x-forwarded-for"
protocolHeader="x-forwarded-proto"
requestAttributesEnabled="true" />
That should get you off to a good start. You may also want to default all your traffic to SSL by creating a rewrite rule in the 000-default.conf file for apache.
--Mike K.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c6997220-cc9a-4f6f-95a9-b2c39e942b60%40apereo.org.
Reply all
Reply to author
Forward
0 new messages