Apache HTTPd Reverse Proxy and Tomcat CAS
Having a correct combination of front-end Apache HTTPd Reverse Proxy server and back-end Tomcat hosted CAS was not as easy as it seems for me.
I could have used mod_auth_cas but decided to relay only on jk based proxy.
Here is my config:
- Apache HTTPd 2.2
- Apache Tomcat 6.0
- CAS 3.3.1
- Balancer (mod_proxy + proxy_ajp + proxy_balancer)
deployment model:
- Front-end machine (ip: 192.168.183.3) running httpd on ports 80, 443.
- CAS back-end app running tomcat on ports 18180 (http) and 18109 (ajp)
- Another back-end app on the same box which uses CAS and runs on ports 18080 (http) and 18009 (ajp)
Steps:
0. Add proper hostnams to /etc/hosts. In my case all (profiles.myraysaz.com) simply points to 192.168.183.3
- CAS Tomcat
- Configure your CAS box. I have deployed my CAS application under “/auth” in Tomcat (i.e. rename cas-3.3.1 in webapps to auth) .
- set correct paths in your cas.properties. This is mine:
cas.properties
cas.securityContext.serviceProperties.service=https://profiles.myraysaz.com/auth/services/j_acegi_cas_security_check cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://profiles.myraysaz.com/auth/login cas.securityContext.ticketValidator.casServerUrlPrefix=https://profiles.myraysaz.com/auth cas.themeResolver.defaultThemeName=default cas.viewResolver.basename=default_views host.name=profiles.myraysaz.com database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
- Here is server.xml of this box. Pay attention to proxyName and proxyPort!
server.xml
<?xml version='1.0' encoding='utf-8'?> <Server port="18105" shutdown="SHUTD0WN"> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" /> <Listener className="org.apache.catalina.core.JasperListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Service name="Catalina"> <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="1000" minSpareThreads="50"/> <Connector executor="tomcatThreadPool" port="18180" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" enableLookups="false" proxyName="profiles.myraysaz.com" /> <Connector executor="tomcatThreadPool" port="18109" protocol="AJP/1.3" redirectPort="443" enableLookups="false" proxyName="profiles.myraysaz.com" /> <Engine name="Catalina" defaultHost="profiles.myraysaz.com"> <Host name="profiles.myraysaz.com" appBase="webapps" unpackWARs="false" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> </Service> </Server>
- Be sure this is working by pointing browser to http://ip:18080/auth
- Configure HTTPd.
- Enable required modules:
a2enmod proxy a2enmod proxy_ajp a2enmod proxy_balancer
- Here is my host file definition in sites-enabled
000-profiles.myraysaz.conf
<VirtualHost 192.168.183.3:80> ServerName profiles.myraysaz.com ServerAdmin amin@raysaz.com DocumentRoot / ErrorLog /var/log/apache2/profiles/error.log LogLevel warn CustomLog /var/log/apache2/profiles/access.log combined ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /auth balancer://casCluster/auth stickysession=JSESSIONID|jsessionid ProxyPassReverse /auth balancer://casCluster/auth <Proxy balancer://casCluster> Order deny,allow allow from all #BalancerMember ajp://192.168.183.3:18109 BalancerMember ajp://profiles.myraysaz.com:18109 </Proxy> ProxyPass / balancer://profilesCluster/ stickysession=JSESSIONID|jsessionid ProxyPassReverse / balancer://profilesCluster/ <Proxy balancer://profilesCluster> Order deny,allow allow from all BalancerMember ajp://profiles.myraysaz.com:18009 </Proxy> </VirtualHost> <VirtualHost 192.168.183.3:443> ServerName profiles.myraysaz.com ServerAdmin amin@raysaz.com DocumentRoot / ErrorLog /var/log/apache2/profiles/error-ssl.log LogLevel warn CustomLog /var/log/apache2/profiles/access-ssl.log combined ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /auth balancer://casCluster/auth stickysession=JSESSIONID|jsessionid ProxyPassReverse /auth balancer://casCluster/auth <Proxy balancer://casCluster> Order deny,allow allow from all BalancerMember ajp://profiles.myraysaz.com:18109 </Proxy> ProxyPass / balancer://profilesCluster/ stickysession=JSESSIONID|jsessionid ProxyPassReverse / balancer://profilesCluster/ <Proxy balancer://profilesCluster> Order deny,allow allow from all BalancerMember ajp://profiles.myraysaz.com:18009 </Proxy> SSLEngine On SSLCertificateFile /etc/ssl/profiles/profiles.myraysaz.com.crt </VirtualHost>
- you can make a fake SSL using:
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf auth.myraysaz.com.crt
- This config is able to stick on session id and supports multiple back end cas-servers.
- Enable required modules:
- SSL+CAS
CAS (java) needs access your SSL certificate. If you make a fake one using SSL, do as follows to import it to Java.- Eliminate private key part from fake certificate.
cp profiles.myraysaz.com.crt profiles.myraysaz.com.crt-only vim profiles.myraysaz.com.crt-only
- import it to java
sudo keytool -import -file profiles.myraysaz.com.crt-only -alias mycas -keystore /opt/java/jdk1.6.0_06/jre/lib/security/cacerts
- Eliminate private key part from fake certificate.
Leave a Comment