Hello Ray, Oh~, thank you.
I'm not using certificates now. I will try it. Thank you again. James On Saturday, August 4, 2018 at 12:11:44 AM UTC+8, rbon wrote: > > James, > > The TGT is scoped to the CAS server and is only used by CAS. Are you using > certificates (https)? If they are self signed, they will have to be added > to all nginx configs. > Back channel communication (like ticket validation) is done over https and > both sides need to know about the other's certificates. > Multiple domain names are fine under CAS, it does not care where the > service is located, only that it is registered and that it can communicate. > Proxying is done when the user logs into service A and A needs to get data > from service B. > > Ray > > On Thu, 2018-08-02 at 17:59 -0700, James Q wrote: > > Hi Ray, > > Thank you for your patient reply. > > I think I know why. > When App and CAS under the same proxy(same domain name), they have the > same TGT, and CAS can validate it. > But when use three nginxs, they are under different domain names. > > So I think it's a cross domain sso. > As you said: http://proxy_server/app was not registered as a service in > CAS. > > Multiple domain names should be proxy webflow diagrom, not usual webflow > diagrom. > > https://apereo.github.io/cas/5.3.x/protocol/CAS-Protocol.html#proxy-web-flow-diagram > > I will try it out, thank you very much. > > Thanks. > James. > > On Friday, August 3, 2018 at 12:38:23 AM UTC+8, rbon wrote: > > James, > > I meant that http://proxy_server/app was not registered as a service in > CAS but the tomcat server was, http://localhost:8080/app. > > Your ports should not be exposed but hidden within nginx config. > > Ray > > On Thu, 2018-08-02 at 05:11 -0700, James Q wrote: > > Ray, > > I use one nginx to proxy app and cas as you remind and it works. > > But this expose ports of app and cas server. > Still don't know why 3 nginx not work out...... > > What do you mean proxy_server/app is not part of SSO? > > Thanks. > James. > > On Thursday, August 2, 2018 at 12:06:02 AM UTC+8, rbon wrote: > > James, > > It looks like proxy_server/app is not part of SSO. What does your service > definition(s) look like? > > Unless you have a need to have each tomcat fronted by its own nginx, you > could simplify and have one nginx (instead of 3). > In proxy_server's nginx, replace: > proxy_pass http://cas_server/cas; > with: > proxy_pass http://localhost:8080/app; > etc. > > I have not used the set_header options but do not think that is causing > problems. > > Ray > > On Tue, 2018-07-31 at 19:03 -0700, James Q wrote: > > Hello Ray, > > Yes, each nginx have a different configuration. > > app_server' nginx conf: > > location /app { > proxy_pass http://localhost:8080/app <http://app_server/app>; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > > cas_server's nginx conf: > > location /cas { > proxy_pass http://localhost:8080/c <http://app_server/app>as; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > > I think the web flow should be: > > 1. browse to login page http://localhost:8080/cas (http status 200) > 2. input username and password > 3. cas login success, and store TGC cookie on browser > 4. redirect to http://localhost:8080/app (http status 302), the header is > > 1. Request URL: > http://localhost:8080/app/ > 2. Request Method: > GET > 3. Status Code: > 302 > 4. Remote Address: > [::1]:8080 > 5. Referrer Policy: > no-referrer-when-downgrade > > 5. app is the cas client, it should use TGC to cas validate the ticket. > 6. app redirect to > http://localhost:8080/cas/logn?service=http://localhost:8080/app (http > status 302) > 7. cas make a ST to client, > http://localhost:8080/app/callback?ticket=ST-..... (http status 302) > 8. cas validate ST successfully and app shows page. > http://localhost:8080/app (http status 200) > > the strange thing happened at step6. > In my desktop, I install cas and app on the same tomcat. I use chrome to > trace. > The step6 is 302(redirect and validate) and step8 is http status 200(show > the app page), it is right sequence. > > But after nginx proxy, the step6 is 200(show the login page again), the > sequence stoped, and didn't have step7 and step8. > I watch the chrome network the step4 header is > > 1. Request URL: > http://proxy_server/app/ > 2. Request Method: > GET > 3. Status Code: > 302 Found > 4. Remote Address: X.X.X.X > :80 > 5. Referrer Policy: > no-referrer-when-downgrade > > The step4 difference is: > locathost status code is "302", but proxy_server status code is "302 > Found" then next step6 is wrong sequence. > I don't know what is the difference between "302" and "302 Found" and > didn't search it out. > > So how to config nginx to fix this? > > Thanks. > > On Tuesday, July 31, 2018 at 11:45:59 PM UTC+8, rbon wrote: > > James, > > If you have three nginx, then each one should have a different > configuration. It should only be concerned with one application. > The redirecting to login will be handled by cas client, one on proxy > server and one on app server. > > Ray > > On Mon, 2018-07-30 at 22:42 -0700, James Q wrote: > > Hello, > > I configure an app to the cas successfully. > I configure the cas.view.defaultRedirectUrl=http://localhost:8080/app > > 1. login url: http://localhost:8080/cas/login > 2. input username and password > 3. redirect to http://localhost:8080/app > It works good on the same tomcat. > > Then I separate to 3 servers: proxy_server, app_server and cas_server. > Each server was installed the nginx. > > 1. proxy_server's nginx proxy app_server and cas_server's nginx > 2. app_server's nginx proxy app > 3. cas_server's nginx proxy cas > > Each nginx conf is all the same, like this: > proxy_server' nginx conf > > location /cas { > proxy_pass http://cas_server/cas; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > > location /app { > proxy_pass http://app_server/app; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > > Setp: > 1. login url: http://proxy_server/cas > 2. input username and password > 3. redirect http://proxy_server/cas?service=http://proxy_server/app > This was wrong. it still need input username and password. > > 4. but input username and password again, it redirect > http://proxy_server/app > > Question: > 1. After login successfully, it should redirect into > http://proxy_server/app > 2. But it redirect to the login page again. > > How to config nginx? > I search > https://groups.google.com/forum/#!topic/jasig-cas-user/44vNM24X110 > It doesn't work. > > And I search it should add ngx_headers_more module to nginx for location? > Any ideas? > > Thanks. > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7f0bc547-ab47-4568-bbd1-8271ae770889%40apereo.org.
