So, the following HAP confg worked, with lots of work in the shibboleth
land.
frontend http_front
bind :80
bind 0.0.0.0:443 ssl crt /etc/haproxy/crsplab2_1.pem crt
/etc/haproxy/ssl.d/ no-sslv3 no-tls-tickets
option httplog
rate-limit sessions 5
log global
log /dev/log local0 debug
mode http
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request redirect scheme https unless { ssl_fc }
#
#acl host_web2 hdr(host) -i crsplab2.oit.uci.edu/webdav
#use_backend webdav_cluster if host_web2
#
acl host_web3 path_beg /jhub
acl host_web3_saml2 path_beg /Shibboleth.sso/
acl host_web3_saml2_secure path_beg /secure/
use_backend web3_cluster if host_web3 || host_web3_saml2 ||
host_web3_saml2_secure
backend web3_cluster
mode http
balance source
cookie SRV2 insert indirect nocache
server web1 10.1.100.156:443 check ssl verify none inter 2000 cookie w1
in the shibboleth SP side, here is what was needed:
a. create a common entityID with the LB name .
https://haproxylb.example.com/shibboleth
b. setup apache vhost in the backend node , with the following:
ServerName https://haproxylb.example.com
UseCanonicalName on
HostnameLookups off
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IFModule>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /jhub>
ProxyPass http://10.1.100.156:8000/jhub
ProxyPassReverse http://10.1.100.156:8000/jhub
RequestHeader unset Accept-Encoding
ProxyPreserveHost on
AuthType shibboleth
ShibRequestSetting requireSession 1
Require shibboleth
ShibUseHeaders On
ShibBasicHijack On
RequestHeader set X-Remote-User %{REMOTE_USER}s
</Location>
<LocationMatch
"/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)">
ProxyPassMatch ws://10.1.100.156:8000/jhub/$1/$2$3
ProxyPassReverse ws://10.1.100.156:8000/jhub/$1/$2$3
</LocationMatch>
c. the above will allow metadata generation possible with the LB proxyname
and all the redirects will be correctly setup with the proper LB hostname.
One example:
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="*https://haproxylb.example.com
<https://haproxylb.example.com>*/Shibboleth.sso/SLO/POST"/>
d. In the ahibboleth.xml file, the following is important, as we can now
pass traffic through the private LAN, after the initial authentication.
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http
">
Once all this is set up, shibboleth IDP should be able to fetch SP metadata
correctly.
Thank you, everyone, who helped. A lot of testing is needed, of course.
Once we go to production, I will post the final shibboleth and HAP configs.
I might still ask questions :-) , if I get stuck. But, you guys are
awesome, helped me through every step of the way!
--imam
On Mon, Oct 29, 2018 at 2:09 AM Jarno Huuskonen <[email protected]>
wrote:
> Hi,
>
> Can you describe how you would like this (haproxy -> apache+shib ->
> jupyter?)
> setup ? (Perhaps with some kind of diagram with desired urls / ips
> etc).
>
> From what I understand you'd like to use public ip/url only on haproxy
> and everything else on private ip's (accessed only from the haproxy host).
>
> AFAIK something like this might work:
> haproxy listens on public ip:443 and sends all /jhub /Shibboleth.sso
> traffic to apache(shib)+jupyter backend server on port 8443(w/out ssl):
>
> haproxy:
> ...
> acl host_web3 path_beg /jhub
> acl host_web3_saml2 path_beg /Shibboleth.sso
> use_backend web3_cluster if host_web3 || host_web3_saml2
> ...
> backend web3_cluster
> server apache_server_privateip:8443 check inter 2000 cookie w1
> # If you've more than 1 server then you'll probably need
> persistence
>
> apache vhost (plain http vhost, no ssl configured)
> Listen 8443
> <VirtualHost *:8443>
> HostnameLookups off
> ServerName https://proxy.example.com
> UseCanonicalName On
> SetEnv HTTPS on
>
> <Location /jhub> / <LocationMatch ...>
> ... # your jupyter proxypass / shibboleth auth (remote_user)/ wss
> config
> # Also make sure apache passes or sets:
> # X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-For
> </VirtualHost>
>
> Configure shibboleth to use https://proxy.example.com/Shibboleth.sso
> urls.
>
> Configure jupyter to trust X- headers: NotebookApp.trust_xheaders
> and maybe you need to use NotebookApp.custom_display_url so jupyter
> knows it's url is https://proxy.example.com/jhub.
>
> -Jarno
>
> --
> Jarno Huuskonen
>
--
Regards,
*Imam Toufique*
*213-700-5485*
