[Shib-Users] shibboleth-sp behind an HAproxy
daniel rahmeh
i have an Apache webserver running behind an HAproxy load-balancer.
The HAproxy is configured, with stunnel on it, to relay client request
to the webserver on http(80), exemple:
https://Myapplication.com/
-------------https----------------->(HAProxy:443+Stunnel)
------------http----------------> (ApacheWeberserver:80)
(in fact the stream between HAproxy ans the webserver is not encrypted)
I installed an SP on my webserver and configured it to talk with my
idp (all in https). Then i got two problems:
1. the first one is after the user get authenticated, the idp tries to
find an HTTP endpoint
(http://Myapplication.com/Shibboleth.sso/SAML2/POST) and not an HTTPS
endpoint. Thus returning an error saying:'No peer endpoint available
to which to send SAML response'
2. to fix the problem i forced the SP to request the response on https
by setting the handlerssl option to true. Indeed, the idp sends the
SAML response this time to the https endpoint
(https://Myapplication.com//Shibboleth.sso/SAML2/POST), but when the
request hits the SP i get a redirect loop.
i can understand the behavior but i want to know if there is a
work-around or something i can do to make it work
Sorry for making it long and thank you
Kevin P. Foote
This is a fairly common question on list (load balanced SP)..
Search the archives your answers are in there.
Two things to verify: Your webserver has to "know" its ServerName and
respond to requests using that ServerName. Second is verify your metatdata
contains the proper ACS endpoints.
You should be able to back out your change in your #2 below once you get
your webservers to respond correctly.
------
thanks
kevin.foote
On Tue, 25 Jan 2011, daniel rahmeh wrote:
-> Hello,
->
-> i have an Apache webserver running behind an HAproxy load-balancer.
-> The HAproxy is configured, with stunnel on it, to relay client request
-> to the webserver on http(80), exemple:
->
-> https://Myapplication.com/
-> -------------https----------------->(HAProxy:443+Stunnel)
-> ------------http----------------> (ApacheWeberserver:80)
-> (in fact the stream between HAproxy ans the webserver is not encrypted)
->
-> I installed an SP on my webserver and configured it to talk with my
-> idp (all in https). Then i got two problems:
->
-> 1. the first one is after the user get authenticated, the idp tries to
-> find an HTTP endpoint
-> (http://Myapplication.com/Shibboleth.sso/SAML2/POST) and not an HTTPS
-> endpoint. Thus returning an error saying:'No peer endpoint available
-> to which to send SAML response'
->
-> 2. to fix the problem i forced the SP to request the response on https
-> by setting the handlerssl option to true. Indeed, the idp sends the
-> SAML response this time to the https endpoint
-> (https://Myapplication.com//Shibboleth.sso/SAML2/POST), but when the
-> request hits the SP i get a redirect loop.
->
-> i can understand the behavior but i want to know if there is a
-> work-around or something i can do to make it work
->
-> Sorry for making it long and thank you
->
Peter Schober
> Two things to verify: Your webserver has to "know" its ServerName and
> respond to requests using that ServerName. Second is verify your metatdata
> contains the proper ACS endpoints.
>
> You should be able to back out your change in your #2 below once you get
> your webservers to respond correctly.
Cf. the "Resource" section on
https://spaces.internet2.edu/display/SHIB2/SPReverseProxy
And https://spaces.internet2.edu/display/SHIB2/NativeSPNoSSL could be
updated/expanded for Apache httpd (only contains info for MS-IIS).
-peter
daniel rahmeh
scheme. Problem solved:
ServerName https://MyApplication.com
UseCanonicalName On
Thank you :)