mod_auth_cas / phpCas - HTTP Apache Behind HTTPS Terminated Load Balancer

[Will Gleich]

I am running multiple HTTP Apache instances behind a SSL Terminated Load Balancer. Apache serves PHP Content on Port 80, but the user’s browser sees everything as fully encrypted.

 

Some of our developers use mod_auth_cas, where others use PhpCAS. We are hoping to find an apache solution for both of these without manually hardcoding URLs into the php / apache configuration.

I realize that mod_auth_cas has a CASRootProxiedAs directive, but since it doesn’t take apache variables, the URLs would need to hardcoded.
I am considering implementing the following patch: https://groups.google.com/forum/#!topic/jasig-cas-user/5I_hlBQmVM4

 

I have two questions:

 

• Does PHPCas have a similar “CASRootProxiedAs” directive, so I can proxy the service URL away from HTTP à HTTPS
• Is there an Apache configuration that can spoof the service URL (referrer) to CAS to append the HTTPS from both mod_auth_cas and PhpCas?

 

We would like to avoid decrypting SSL on the apache instance if possible, but it looks like we may have to do that for the CAS implementation to be streamlined.

Has anyone else solved this problem – am I over-looking something? Perhaps I can spoof HTTPS with some apache header change.

 

Thanks,

 

William Gleich
University of Utah

[David Hawes]

On Tue, 14 May 2019 at 13:22, 'Will Gleich' via CAS Community
<cas-...@apereo.org> wrote:
> Has anyone else solved this problem – am I over-looking something? Perhaps I can spoof HTTPS with some apache header change.

Have you tried using CASRootProxiedAs with the virtual host on your LB
and setting session affinity or sticky sessions or whatever your LB
calls it?