[Shib-Users] ShibSP behind SSL term

150 views
Skip to first unread message

Fulup Ar Foll

unread,
Oct 10, 2008, 2:06:19 PM10/10/08
to shibbole...@internet2.edu

I'm trying to setup a ShibSP-2 configuration beind a reverse proxy, at this
point, I'm trying to authenticate from https://www.testshib.org also the IDP
should not the issue.

My config is not complex (but has a reverse proxy)

browser get -> https://shibsp.freeidp.net/secure
--- SSL over internet ---> (91.121.173.80:443) reverse-proxy(pound)
---- Reverse-proxy on internal-network -> (10.10.101.10:80) apache
--- Apache shib-module -> (unix-socket) sibsp
Note: my internal machine as full access to internet, but this is not the
issue as for the moment, I'm using post profile.

When requesting a protected page
- from internet (get https://shibsp.freeidp.net/secure)
- apache receive the (http://shibsp.freeidp.net/secure)
- I'm correctly redirect redirected to the IDP
- I authenticate with one of the dummy user
- IDP redirected my browser to my SP with SAML-respond
(https://shibsp.freeidp.net/Shibboleth.sso/SAML2/POST)
- Pound reverse proxy breaks SSL and passe SAML2 post to apache
http://shibsp.freeidp.net/Shibboleth.sso/SAML2/POST
- Apache passes (I think :)) the request to Chubs daemon

*** shibsp refuses the request ****
This is what I get in /var/log/shibboleth/shibd.log
>2008-10-10 13:51:59 ERROR OpenSAML.MessageDecoder.SAML2POST [2]: POST
targeted at (https://shibsp.freeidp.net/Shibboleth.sso/SAML2/POST), but
delivered to (http://shibsp.freeidp.net/Shibboleth.sso/SAML2/POST)

I found a post on the subject, but I do not understand :(
https://spaces.internet2.edu/display/SHIB/SPReverseProxy

Question: would someone have simple explanations for having an SP after an SSL
termination (pound, bigip, alteon, etc ....) I'm currently only using the
post profile, but my end goal is to have the artifact to work in this model.

Fulup

PS: Why a reverse proxy: because I'm running many virtual zone within one
unique server. I first need to save public addresses, then I want easy and
cheap fail over, plus optimization of CPU ressources, plus simplicity,
plus ... Conclusion: I'm not ready to remove my reverse proxy :)
My OpenVZ/Proxmox architecture description is aviable here after:
http://www.fridu.org/last-posts-fulup/40-hosting-a-sysadmin/52-openvz-virtualization

--
Tel: 0950.770.585
Mail: fu...@fridu.net
http://www.fridu.org/fulup

Scott Cantor

unread,
Oct 10, 2008, 7:32:43 PM10/10/08
to shibbole...@internet2.edu
> When requesting a protected page
> - from internet (get https://shibsp.freeidp.net/secure)
> - apache receive the (http://shibsp.freeidp.net/secure)

But Apache has to know that's not the case or both the SP and any application behind it will not work properly. You need to tell Apache that the scheme is actually https, and not http.

> *** shibsp refuses the request ****

Because you haven't virtualized your server's configuration.

> I found a post on the subject, but I do not understand :(
> https://spaces.internet2.edu/display/SHIB/SPReverseProxy

Well, it's missing one point, which is that Apache 2.2 actually supports scheme virtualization natively.

http://httpd.apache.org/docs/2.2/mod/core.html#servername

-- Scott


Peter Schober

unread,
Oct 11, 2008, 7:43:28 AM10/11/08
to shibbole...@internet2.edu
* Scott Cantor <cant...@osu.edu> [2008-10-11 01:33]:

> > https://spaces.internet2.edu/display/SHIB/SPReverseProxy
>
> Well, it's missing one point, which is that Apache 2.2 actually
> supports scheme virtualization natively.
>
> http://httpd.apache.org/docs/2.2/mod/core.html#servername

Changed thw wiki page in this regard. I had to explicitly switch to
http://httpd.apache.org/docs/2.2/en/mod/core.html#servername
to actually see the change (since the german version offered still
does not contain this change, even though it's been in there since
2.1)

cheers,
-peter

--
peter....@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

Fulup Ar Foll

unread,
Oct 11, 2008, 11:35:45 AM10/11/08
to shibbole...@internet2.edu
Thank you Scott, the lack of servername directive inside my apache config was
effectivly the issue. Added the missing line and it works :)

Moving forward, I have one question and one remark:

Question: is there some place where "shibd" communication protocols is
described ? I supose this deamon should be requestable from other clients
(PHP in direct, Pound reverse proxy, http light, ....) ?

Remark: While I saw that peter update the Wiki, it would probably good to add
the typical error that this create in logs. Most people having this error
will probaby cut&past the error from shibd log and google for it. Exemple:


>2008-10-10 13:51:59 ERROR OpenSAML.MessageDecoder.SAML2POST [2]: POST

>targeted at (https://shibsp.mydomain.net/Shibboleth.sso/SAML2/POST), but
>delivered to (http://shibsp.mydomain.net/Shibboleth.sso/SAML2/POST)

I any case thank you for your help.

Fulup

Le samedi 11 octobre 2008, Peter Schober a écrit :
> * Scott Cantor <cant...@osu.edu> [2008-10-11 01:33]:
> > > https://spaces.internet2.edu/display/SHIB/SPReverseProxy
> >
> > Well, it's missing one point, which is that Apache 2.2 actually
> > supports scheme virtualization natively.
> >
> > http://httpd.apache.org/docs/2.2/mod/core.html#servername
>
> Changed thw wiki page in this regard. I had to explicitly switch to
> http://httpd.apache.org/docs/2.2/en/mod/core.html#servername
> to actually see the change (since the german version offered still
> does not contain this change, even though it's been in there since
> 2.1)
>
> cheers,
> -peter

--

Scott Cantor

unread,
Oct 11, 2008, 12:17:00 PM10/11/08
to shibbole...@internet2.edu
> Question: is there some place where "shibd" communication protocols is
> described ? I supose this deamon should be requestable from other clients
> (PHP in direct, Pound reverse proxy, http light, ....) ?

No. The protocol could easily be documented but the actual messages are not
public and won't be documented because they're internal to the plugins, not
meant as an API.

That isn't to say plugins that are prepared to expose an API couldn't be
done, but I'm not writing them at the moment.

-- Scott


Peter Schober

unread,
Oct 11, 2008, 12:26:28 PM10/11/08
to shibbole...@internet2.edu
* Fulup Ar Foll <fu...@fridu.net> [2008-10-11 17:36]:

> Question: is there some place where "shibd" communication protocols is
> described ? I supose this deamon should be requestable from other clients
> (PHP in direct, Pound reverse proxy, http light, ....) ?

No, you don't talk to shibd. You only protect your application (in
whatever language or framework) and mod_shib does the talking. For
other webservers (e.g. lighttpd) there's a fastcgi interface, for
MS-IIS there's an ISAPI filter. Java servlets (Tomcat) are generally
protected by Apache and mod_proxy_ajp.
https://spaces.internet2.edu/display/SHIB2/NativeSPEnableApplication
https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent

> Remark: While I saw that peter update the Wiki, it would probably good to add
> the typical error that this create in logs. Most people having this error
> will probaby cut&past the error from shibd log and google for it. Exemple:
> >2008-10-10 13:51:59 ERROR OpenSAML.MessageDecoder.SAML2POST [2]: POST
> >targeted at (https://shibsp.mydomain.net/Shibboleth.sso/SAML2/POST), but
> >delivered to (http://shibsp.mydomain.net/Shibboleth.sso/SAML2/POST)

Since I put this up over a year ago I can't remember any of the error
messages and I don't know the software good enough to name each and
every error you might run into when trying to proxy to a protected
ressource. But it's a wiki after all, so feel free to add what you
think is helpful.

Reply all
Reply to author
Forward
0 new messages