CAS 6.6.x CSS with SSL Offload
236 views
Skip to first unread message
atilling
Nov 2, 2023, 1:40:43 PM11/2/23
to CAS Community
Offloading SSL to F5 BigIP
server.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for
In cas.properties we have:
server.port=8080
server.ssl.enabled=false
server.ssl.enabled=false
if we go to https://node.domain.tld:8080/cas/login the page displays fine and the CSS is loaded
if we go to https://vip.domain.tld/cas/login the page displays but the CSS is not loaded
https://vip.domain.tld/cas/login/themes/cc_main/css/cas.css throws the error ERR_TOO_MANY_REDIRECTS
Tried adding
server.tomcat.remoteip.port-header=x-forwarded-portserver.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for
And there was no change.
Ray Bon
Nov 2, 2023, 3:22:24 PM11/2/23
to cas-...@apereo.org
Is it possible that vip...themes is protected/secured and needs login to access?
Check your developer console to see where the redirects are going.
Check cas logs to see which URIs are unprotected (shows on startup).
Ray
On Thu, 2023-11-02 at 09:24 -0700, atilling wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
atilling
Nov 3, 2023, 11:16:09 AM11/3/23
to CAS Community, Ray Bon
There is nothing on the VIP that specifies any security for any URI.
The developer console shows that cas.css is redirecting to cas.css,
During startup I'm seeing:
INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Will not secure Ant [pattern='/css/**']>
Ray Bon
Nov 3, 2023, 6:19:18 PM11/3/23
to atil...@conncoll.edu, cas-...@apereo.org
I see /css/** in my startup but not /themes/**. That could be because we have no custom theme.
Could it be a problem with a rewrite rule in VIP?
Ray
atilling
Nov 6, 2023, 12:52:15 PM11/6/23
to CAS Community, Ray Bon, atil...@conncoll.edu
VIP only connects external 443 to 8080 at the cas servers
We have the same config with our production cas 5.1.x servers and CSS is displaying fine.
Meysam Shirazi
Nov 7, 2023, 7:18:04 AM11/7/23
to CAS Community, atilling, Ray Bon
As Ray said it's because you use custom theme and /themes/** is not define in list of excluded endpoints from web security, so Spring Security redirect the request to secure channel it means redirect to port 8443(default port) that does not exist in your situation!
I think there are multiple way to deal with:
- adding /themes/** to URL map in CasWebSecurityConfigurerAdapter to exclude/ignore from web security
- copy static resource from /themes/custom to static folder
- and the best way if you deploy CAS on tomcat is you tell tomcat about the proxy:
atilling
Nov 7, 2023, 12:46:12 PM11/7/23
to CAS Community, Meysam Shirazi, atilling, Ray Bon
We're using the embedded tomcat with the settings:
server.port=8080
server.ssl.enabled=false
server.tomcat.remoteip.port-header=x-forwarded-port
server.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for
server.ssl.enabled=false
server.tomcat.remoteip.port-header=x-forwarded-port
server.tomcat.remoteip.protocol-header=x-forwarded-proto
server.tomcat.remoteip.remote-ip-header=x-forwarded-for
Can I add those tomcat settings to the embedded tomcat?
Our CSS is in /etc/cas/static/themes/ccmain
and we have the setting for the path in cas.properties
cas.theme.paramName=cc_main
cas.theme.defaultThemeName=cc_main
#externalize templates
spring.thymeleaf.prefix=file:/etc/cas/templates/
spring.web.resources.static-locations=classpath:/META-INF/resources/, \
classpath:/resources/,classpath:/static/, \
classpath:/public/,file:/etc/cas/templates/,file:/etc/cas/static/
cas.theme.defaultThemeName=cc_main
#externalize templates
spring.thymeleaf.prefix=file:/etc/cas/templates/
spring.web.resources.static-locations=classpath:/META-INF/resources/, \
classpath:/resources/,classpath:/static/, \
classpath:/public/,file:/etc/cas/templates/,file:/etc/cas/static/
I do not understand why it works on 8080 but not on the F5 pulling 8080 to 443, what is triggering redirects when the traffic comes through the F5?
Meysam Shirazi
Nov 7, 2023, 10:25:45 PM11/7/23
to CAS Community, atilling, Meysam Shirazi, Ray Bon
For embedded tomcat in Spring boot it seams that tomcat ignor x-forward-* setting for the redirect so you have to disable context path redirects so based on this issue (I don't test it by myself)you can use these setting:
server.port = 8081
server.servlet.context-path = /hweproxy
server.forward-headers-strategy = native
server.tomcat.redirect-context-root = false
server.servlet.context-path = /hweproxy
server.forward-headers-strategy = native
server.tomcat.redirect-context-root = false
I used Nginx as a revers proxy without any problem but I can set X-Forward-* headers in proxy config, but about F5 I don't know what's happen there because I don't have any access on it! :))
atilling
Nov 8, 2023, 3:29:57 PM11/8/23
to CAS Community, Meysam Shirazi, atilling, Ray Bon
I know the F5 is sending x-forwarded-proto, x-forwarded-port, x-forwarded-by, and x-forwarded-for
I tried the setting you suggested from that case | server.servlet.context-path = /hweproxy | breaks the application altogether, the other settings seem to have no effect.
Looking at CasWebSecurityConfigurerAdapter in GIT it looks like cas 7 has | patterns.add("/themes/**"); | but cas 6.6.x does not. I thinking the only fix is to add my own org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter to my overlay that includes the "/themes/**" pattern?
Meysam Shirazi
Nov 9, 2023, 12:51:14 AM11/9/23
to CAS Community, atilling, Meysam Shirazi, Ray Bon
I did not test it by myself because I'm not using embedded tomcat, anyway the main config was server.tomcat.redirect-context-root = false and the /hweproxy was a sample config so you should replace your context path.
I think including "/themes/**" pattern is the best way in this situation.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages