reverse proxy, baseurlpath and absolute urls

691 views
Skip to first unread message

Gildas

unread,
Jan 12, 2011, 9:01:28 AM1/12/11
to simpleSAMLphp
Hi,

I am trying to set up a somewhat convoluted solution involving an IdP
and a SP running on 2 different machines and accessed through a single
hostname via a reverse proxy.

The setup is as follows:

-----------------[ the setup ]-----------------

user
|
v
( )
( internet )
( )
|
v
[ reverse proxy ]
( / \
LAN ( v v
( [ SP ] [ IdP ]

---------------------------------------------------

I am using apache with mod_proxy on the reverse proxy.

I configured access to the SP and IdP through the use of ProxyPass:

-----------------[ apache conf extract ]-----------------

ProxyPass /myservice http://<sp internal ip>/
ProxyPassReverse /myservice http://<sp internal ip>/

ProxyPass /logon http://<idp internal ip>/
ProxyPassReverse /logon http://<idp internal ip>/

-------------------------------------------------------------------

Both the IdP and the SP are running simplesaml 1.7 and are running
fine when accessed directly from the internal network.

I thought changing the "AssertionConsumerService" and
"SingleLogoutService" urls to point to the "external url" or change
the baseurlpath to the reverse proxy url would do the trick but
apparently I was foolish.

As far as I understand, simplesaml uses absolute links for everything
on the web pages, from images to links, which means users going
through the reverse proxy are being redirected to internal ips.

Is there a way to get this working without too many modifications of
the source code?

Regards,
Gildas

Peter Schober

unread,
Jan 12, 2011, 9:29:58 AM1/12/11
to simpleSAMLphp
* Gildas <gild...@gmail.com> [2011-01-12 15:04]:

> Is there a way to get this working without too many modifications of
> the source code?

The servername on the IdP and SP could/should be virtualized, I
suppose (setting it to the external name).
If you can't do this have a look at lib/SimpleSAML/Utilities.php where
you could easily make SSP use whatever name, port and URL you want.

SAML Metadata describing these entities should only refer to the
externally visible URLs. SimpleSAMLphp should be configured to those
same values (e.g. baseurlpath in config/config.php).
-peter

Olav Morken

unread,
Jan 13, 2011, 3:28:02 AM1/13/11
to simpleSAMLphp

I don't think it is necessary to change the code. What should be needed
is to put the SP and IdP on different paths on different servers.

Basically, configure your SP installation to run on "/myservice"
(change baseurlpath in config.php to 'myservice/simplesaml/' or
something like that). Then configure the proxy to pass requests to
/myservice to http://<sp internal ip>/myservice. Do the same for the
IdP.

You also need to set the 'session.cookie.path' to '/myservice' for the
SP and '/login' for the IdP. Otherwise, they will overwrite each
other's cookies.

Note that this requires the proxy to pass the Host-header straight
through. I don't know whether mod_proxy does this.


Regards,
Olav Morken
UNINETT / Feide

Gildas

unread,
Jan 13, 2011, 7:48:46 AM1/13/11
to simple...@googlegroups.com
2011/1/13 Olav Morken <olav....@uninett.no>:

> On Wed, Jan 12, 2011 at 15:29:58 +0100, Peter Schober wrote:
>> * Gildas <gild...@gmail.com> [2011-01-12 15:04]:
>> > Is there a way to get this working without too many modifications of
>> > the source code?

> I don't think it is necessary to change the code. What should be needed


> is to put the SP and IdP on different paths on different servers.
>
> Basically, configure your SP installation to run on "/myservice"
> (change baseurlpath in config.php to 'myservice/simplesaml/' or
> something like that). Then configure the proxy to pass requests to
> /myservice to http://<sp internal ip>/myservice. Do the same for the
> IdP.
>
> You also need to set the 'session.cookie.path' to '/myservice' for the
> SP and '/login' for the IdP. Otherwise, they will overwrite each
> other's cookies.
>
> Note that this requires the proxy to pass the Host-header straight
> through. I don't know whether mod_proxy does this.
>
>
> Regards,
> Olav Morken
> UNINETT / Feide

Hi Olav,

Thanks for you answer, that last information was the one I was
missing: it works now

I have just a bad redirect when connecting as an administrator. I
suspect this is because of the use of "'/' . $config->getBaseURL() .
'logout.php'" as a parameter to logout in
modules/core/www/authenticate.php line 19 where it should probably use
SimpleSAML_Utilities::getBaseURL()?

For the record, I did the following:
- on the reverse proxy add "ProxyPreserveHost On" to pass the Host header
- set baseurlpath to the path used in the ProxyPass for that SP/IdP
- set session.cookie.path to the path used in the ProxyPass for that SP/IdP

Regards,
GIldas

Olav Morken

unread,
Jan 13, 2011, 10:55:48 AM1/13/11
to simple...@googlegroups.com
On Thu, Jan 13, 2011 at 13:48:46 +0100, Gildas wrote:
> I have just a bad redirect when connecting as an administrator. I
> suspect this is because of the use of "'/' . $config->getBaseURL() .
> 'logout.php'" as a parameter to logout in
> modules/core/www/authenticate.php line 19 where it should probably use
> SimpleSAML_Utilities::getBaseURL()?

That is a bit suprising, since the only difference should be that
one of them is an absolute URL while the other is relative to the
root of the webserver. When an URL that is relative to the root of the
webserver is passed to the redirect()-function, we automatically add
the same hostname that getBaseURL() would use, thus the final redirect
should have been the same.

Reply all
Reply to author
Forward
0 new messages