Redirect loop

[Pooya Eslami]

Hi everyone...

I have a plone site that serves on http://my.domain.com:8080/intranet.

Based on the plone docs I have a rewrite rule so to translate that ugliness to http://my.domain.com

I have cas enabled on the plone site for authentication and it works fine.

Several pages at the root level are available to public unfortunately. So to protect these pages via cas, I have installed the mod_auth_cas in apache.

Now the pages that were previously public are protected by cas, but if I try to go to the root site http://my.domain.com/ I get a redirect loop that keeps generating tickets and goes between cas and my.domain.com trying to validate.

here is my apache conf:

<VirtualHost *>

    ServerName my.domain.com

    ServerSignature On

    ProxyVia On

    <Proxy *>

        Order deny,allow

        Allow from all

    </Proxy>

    CASCookiePath    /var/cache/apache2/mod_auth_cas/

    CASLoginURL      https://cas.domain.com/cas/login

    CASValidateURL   https://cas.domain.com/cas/serviceValidate

    CASDebug         on

    LogLevel         Debug

    RewriteEngine on

    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/intranet/VirtualHostRoot/$1 [P,L]

    <Location />

        CASScope on

        AuthType CAS

        require valid-user

    </Location>

</VirtualHost>

Any advice will be appreciated. Thanks

[David Hawes]

That looks off to me. What happens if you remove that line completely
or use "CASScope /"?

What versions of Apache and mod_auth_cas are you using?

[Pooya Eslami]

Same if that line is deleted or set to /

I keep getting sent to cas and redirected back to site. 
I would like to try RewriteCond, but where would I stop?! If I stop at cas it will not redirect to cas, if stop after site, it will not redirect to cas...

See my dilemma? 

[David Hawes]

On 18 May 2017 at 17:40, Pooya Eslami <poo...@gmail.com> wrote:
> Same if that line is deleted or set to /
> I keep getting sent to cas and redirected back to site.
> I would like to try RewriteCond, but where would I stop?! If I stop at cas
> it will not redirect to cas, if stop after site, it will not redirect to
> cas...
> See my dilemma?

Do you have another VirtualHost for 8080?

Your config works fine for me on Apache 2.4.17 and mod_auth_cas master
provided I have a separate VirtualHost for 8080.

What do your logs show?

[Pooya Eslami]

Logs show going back and forth between site and cas...

$ tail -f access.log 

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET / HTTP/1.1" 302 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET /?ticket=ST-8490389-1QQZghQr4Mq4Y1d0DWtX-cas HTTP/1.1" 302 587 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET / HTTP/1.1" 302 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET /?ticket=ST-8490390-gdcqMZ4hYqannRw4WZRr-cas HTTP/1.1" 302 587 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET / HTTP/1.1" 302 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET /?ticket=ST-8490391-dEHGGYgNNknusb4XBwFl-cas HTTP/1.1" 302 587 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET / HTTP/1.1" 302 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET /?ticket=ST-8490392-tJUb7ZHBoE3UQeLBxIe4-cas HTTP/1.1" 302 587 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET / HTTP/1.1" 302 16773 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

10.55.1.102 - USER567 [18/May/2017:20:39:33 +0000] "GET /?ticket=ST-8490393-4oRlIYjdA9civwc149Nf-cas HTTP/1.1" 302 587 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0"

This goes on forever

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wBDn-eWAt7f2o1tNQvpTBc%2B1xghVnE1Mf7xuoc9N-kNtg%40mail.gmail.com.

[David Hawes]

What do the mod_auth_cas debug logs show?

Can you post your full Apache configuration?

What version of Apache?

What version of mod_auth_cas?

[David Hawes]

I don't see that you have the following in your config (from the Plone docs):

<VirtualHost *>
ServerAlias *
ServerRoot /var/www
ServerSignature On
</VirtualHost>

Have you tried adding something like this? Without it, I'd expect the
proxy to just keep looping. This happens on my test machine.

You may still have some mod_auth_cas issues (I'd recommend upgrading
to v1.1), but this needs to work first. It may be useful to comment
out all the mod_auth_cas directives and make sure it works without
auth as expected.


On 23 May 2017 at 17:03, Pooya E <poo...@gmail.com> wrote:
> I think I know where the problem is... I need a ProxyPassReverse for the
> rewrite rule I have since it is redirecting with an address that has 8080
> appended.
> What do you think? If so, how would you write the ProxyPassReverse for that
> rewrite rule?

>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA-GN6gjcfbUsqfOm2t3MBGZF48sw8iN639TyTbvG%2BTBg%40mail.gmail.com.

[Pooya E]

I think I know where the problem is... I need a ProxyPassReverse for the rewrite rule I have since it is redirecting with an address that has 8080 appended.

What do you think? If so, how would you write the ProxyPassReverse for that rewrite rule?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA-GN6gjcfbUsqfOm2t3MBGZF48sw8iN639TyTbvG%2BTBg%40mail.gmail.com.

[Pooya Eslami]

Where would I find mod_auth_cas logs?

The full apache conf is here: https://pastebin.com/cyrp9nbJ

version of apache is 2.4.7

libapache2-mod-auth-cas version 1.0.9.1-4

I only have plone installed, it creates a virtual host at 8080.

Rewrite rule was per plone docs... https://docs.plone.org/manage/deploying/front-end/apache.html

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA-GN6gjcfbUsqfOm2t3MBGZF48sw8iN639TyTbvG%2BTBg%40mail.gmail.com.

[Pooya Eslami]

Part of the error log...

https://pastebin.com/dhRnyfWB

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wA-GN6gjcfbUsqfOm2t3MBGZF48sw8iN639TyTbvG%2BTBg%40mail.gmail.com.