Shibboleth SP on reverse proxy in front of Ruby/Rails/Unicorn

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SP on reverse proxy in front of Ruby/Rails/Unicorn

cckweiss
Hi,

I am trying to get the following configuration to work:

https://example.cdlib.org has an Apache server that sends all requests from port 443 to http://example.cdlib.org:20225. There is a Ruby/Rails application that listens at port 20225.

I want to install a Shibboleth SP on example.cdlib.org so that all users coming to port 443 are first authenticated at the Apache server and then passed along to the Ruby/Rails application on port 20225 with a valid session and all their attributes available to the application.

I have tried two approaches, and neither really seems to work. First I set up httpd.conf with this:

<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
  Order allow,deny
  Allow from all
</Location>

ProxyRequests Off
ProxyPass / http://unicorn.cdlib.org:20225
ProxyPassReverse / http://unicorn.cdlib.org:20225

When I attempt to access a protected resource I am redirected (to the testshib.org IDP) and prompted for my credentials. Two cookies get set, JSESSIONID and _idp_session. However, when I am redirected back to my server from the IDP, I get this error:

502: Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request POST /Shibboleth.sso/SAML2/POST.

Reason: DNS lookup failure for: example.cdlib.org:20225shibboleth.sso

The previous line is not a typo. The error says '...20225shibboleth.sso' which makes little sense to me. I could understand it better if it was '...20225Shibboleth.sso' but the lower-case s really puzzles me.

Despite the fact that the cookies were set by the IDP, the shibd logs show nothing. By nothing, I don't mean there is nothing of interest. I mean there is nothing - no log activity whatsoever.

The other thing I tried was setting up httpd.conf with this:

<Location />
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
  Order allow,deny
  Allow from all
</Location>

    RewriteEngine On
    RewriteLog logs/dmp2-dev.cdlib.org-rewriteLog
    RewriteLogLevel 0
    RewriteCond %{REQUEST_URI} !/cgi-bin/
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
    RewriteCond %{REQUEST_URI} !/Shibboleth.sso/Session
    RewriteCond %{REQUEST_URI} !/Shibboleth.sso/Status
    RewriteCond %{REQUEST_URI} !/Shibboleth.sso/Metadata
    RewriteRule ^/(.*)$ balancer://dmp2-dev_cluster%{REQUEST_URI} [P,QSA,L]

<Proxy balancer://dmp2-dev_cluster>
    BalancerMember http://dmp2-dev.cdlib.org:20225 max=1 acquire=1
</Proxy>

With this configuration, when I attempt to access a protected resource I am redirected to the IDP to authenticate, redirected back to my reverse proxy, and then passed along to the Ruby/Rails application on port 20225. That all seems to work. I get the same two cookies set. However, I do not appear to have a valid Shibboleth session. Once again, there is absolutely nothing in the shibd logs to show a session getting established by the IDP. The Ruby/Rails application throws this error:

No route matches [POST] "/Shibboleth.sso/SAML2/POST"

I am a systems administrator, not a developer, so I don't know if this is an expected result for this application at this point in its development or not. https://example.cdlib.org/Shibboleth.sso/Status shows me all sorts of lovely data, but /Session says "A valid session was not found."

If I remove all the above configuration and just attempt to access protected static content on example.cdlib.org, everything works exactly as I would expect. I get my cookies, I get a valid session when I look at https://example.cdlib.org/Shibboleth.sso/Session, and I see the session setup in the shibd logs. And, of course, I can see my little protected 'Hello world' HTML page.

Has anyone out there used Shibboleth SP in this way? It seems like a pretty mainstream approach to me. I just want to have a Shibboleth-SP-enabled Apache server sitting in front of an application server running on a different port. I suspect I've missed something very simple, but at this point I need a fresh set of eyes. Or confirmation that what I'm doing really isn't mainstream.

--Ken Weiss