Simplesamlphp and SSL offloader

[mast]

Hi,

Can anybody give a solution how to set up simplesamlphp in host where
it works behind SSL offloader. Actual traffic between client-server is
on https via Pound, but virtualhost configuration does not set any SSL
directives and simplesamlphp seems to dislike it.

Frontpage configuration warning:
**************************
Warnings
You are not using HTTPS - encrypted communication with the user. HTTP
works fine for test purposes, but in a production environment, you
should use HTTPS.
**************************

Greetings,
Argo

[Peter Schober]

* mast <argovo...@gmail.com> [2011-10-11 15:17]:

> Can anybody give a solution how to set up simplesamlphp in host where
> it works behind SSL offloader. Actual traffic between client-server is
> on https via Pound, but virtualhost configuration does not set any SSL
> directives and simplesamlphp seems to dislike it.

In the past you had to hack lib/SimpleSAML/Utilities.php and simply
always return 'https' from getSelfProtocol() and 443 for $portnumber
but I think this should now be configurable.
Check the archives (or code ;), I'm pretty sure it's in there,
-peter

[Argo Võigemast]

Thanks Peter, that works.

2011/10/11 Peter Schober <peter....@univie.ac.at>

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

--

-----------------------------------------
Tervitades,
Argo Võigemast
-----------------------------------------

[Olav Morken]

I just want to add that there is code in subversion that makes this
much easier, but there is no release containing that code yet.

Regards,
Olav Morken
UNINETT / Feide

[bojan....@ben-energy.com]

Hi Argo,

We have simplesamlphp running on apache2 behind a reverse proxy (nginx), which is also our SSL terminator. Having apache2 means we can easily manipulate the HTTPS environment variable in .htaccess to have simplesamlphp believe the connection is secure (which it actually is). As Peter Schober mentioned (thanks Peter!), SimpleSAML_Utilities::getSelfProtocol() is the function simplesamlphp uses to determine the protocol. This function just checks for HTTPS=on using PHP's $_SERVER variable.

Our reverse proxy adds the following header:

X-Forwarded-Proto=https

So if you have something similar, you trust your reverse proxy, and you're sure that requests cannot go directly to apache, you can use SetEnvIf like so in .htaccess (see https://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif for doc and further examples):

SetEnvIf X-Forwarded-Proto https HTTPS=on

Now most php applications that check for a secure connection using the HTTPS environment variable (including simplesamlphp) will think the connection is secure. This will get rid of that warning.

Our problem was that the AssertionConsumerServiceURL in the <samlp:AuthnRequest/> sent over to the IdP started with http instead of https. This caused the IdP to send the browser back to an http URI on our end instead of the correct https URI. This actually causes SSO problems in Microsoft Edge because it doesn't re-POST (it does a GET instead) when it gets a 302 redirect, which is precisely what it gets from our reverse proxy when it tries an http URI. Firefox, Chrome and other browsers just re-POST so we didn't discover this until pretty late into testing.

Unfortunately, the problems continue. SimpleSAML_Utilities::selfURLhost() also likes to append the port number to the hostname if the port doesn't match the default port for the given (http/https) protocol. So after the fix above, browsers were being sent to https://our-app.example.com:80/lib/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp, which of course caused the browsers to not successfully connect to the reverse proxy.

In order to fix this, we ended up improving the code in selfURLhost() a bit where it sets the $portnumber:

$portnumber = isset($_SERVER["X_FORWARDED_PORT"]) ? $_SERVER["X_FORWARDED_PORT"] : null;

$portnumber = $portnumber ? $portnumber : (isset($_SERVER["SERVER_PORT"]) ? $_SERVER["SERVER_PORT"] : 80);

Of course, we also had to get nginx to also send over the original port to apache2:

proxy_set_header           X-Forwarded-Port $server_port;

Now browsers are correctly being sent to https://our-app.example.com/lib/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp by the IdP (as this is the URI our simplesamlphp SP provides) and all browsers are happy, including Microsoft Edge. And everybody gets fewer redirects. Excellent!

Hope that helps!

Best,

Bojan

[Peter Schober]

* bojan....@ben-energy.com <bojan....@ben-energy.com> [2015-08-21 15:30]:
> Hope that helps!

*None* of that should be necessary if you just set 'baseurlpath'
in config/config.php correctly.

The thread you're replying to is 3.5 years old and the code change
that added the configuration parameter for this (instead of having to
locally fork the code) was committed to the VCS even back then.
-peter

[paolo.m...@sparkfabrik.com]

Just let me reply to this old thread with an alternative solution, you can just add the following lines at the top of config.php file:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])

&& $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {

   $_SERVER['HTTPS'] = 'on';

   $_SERVER['SERVER_PORT'] = '443';

}

Of course this solution is valid just if your reverse proxy is forwarding the proto.

P.

[Peter Schober]

* <paolo.m...@sparkfabrik.com> [2017-11-28 16:51]:

> Just let me reply to this old thread with an alternative solution, you can
> just add the following lines at the top of config.php file:
>
> if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
> && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
> $_SERVER['HTTPS'] = 'on';
> $_SERVER['SERVER_PORT'] = '443';
> }

Just setting baseurlpath correctly (e.g. including the schema + fqdn +
relative request_uri) did not work for you?

-peter

[paolo.m...@sparkfabrik.com]

Hi Peter, yes it worked but then simplesaml forces a redirect to the specified domain and in my specific case i needed to use the same simplesaml instance to be both SP/IDP on 2 different domains.

[Peter Schober]

* paolo.m...@sparkfabrik.com <paolo.m...@sparkfabrik.com> [2017-12-04 14:23]:

> Hi Peter, yes it worked but then simplesaml forces a redirect to the
> specified domain and in my specific case i needed to use the same
> simplesaml instance to be both SP/IDP on 2 different domains.

I see. You'd need to provide an absolute URL in order to specify the
schema ("https://") but with SSP on several vhosts you'd want to use a
relative baseurlpath?

Well, then it's still both simpler and cleaner to not hack the core
code but simply use PHP in the config.php as needed, e.g.

'baseurlpath' => 'https://' . $_SERVER['SERVER_NAME] . '/simplesaml/',

Note that this requires "UseCanonicalName On" on httpd to be safe.
Otherwise you'd better implement a whitelist of host names as shown in
the example at https://stackoverflow.com/a/1459794
-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2017-12-05 17:35]:

> 'baseurlpath' => 'https://' . $_SERVER['SERVER_NAME] . '/simplesaml/',

The quoting is messed up in $_SERVER but you get the idea.

> Note that this requires "UseCanonicalName On" on httpd to be safe.

Which in turn requires ServerName to be set properly.
-peter