We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy with CAS for the front-end so we could switch back-end services seamlessly.
We used the following HAProxy config, which allowed us to provide front-end and back-end SSL.
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull option forwardfor option http-server-close stats enable stats auth someuser:somepassword stats uri /haproxyStats timeout connect 5000 timeout client 50000 timeout server 50000 frontend http-in bind *:80 reqadd X-Forwarded-Proto:\ http default_backend application-backend frontend https-in bind *:443 ssl crt /etc/haproxy/raw.pem reqadd X-Forwarded-Proto:\ https default_backend application-backend backend application-backend redirect scheme https if !{ ssl_fc } balance leastconn option httpclose option forwardfor cookie JSESSIONID prefix #enter the IP of your application here server node1 10.0.0.113:443 cookie A check ssl verify none
This was all that was required for proxying CAS, however, we regularly use the client IP address in the CAS logs for reporting and security. But default it will now show the client IP address as the HAProxy IP address for all visitors to the site. But because we included the “option forwardfor” flag on the back-end the client’s real IP address will be added to the HTTP request headers as:
X-Forwarded-For: x.x.x.x
Luckily, there is a Valve available to use this address as the client IP. I changed my <Host> section of tomcat/conf/server.xml to the following:
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- Added by for HAProxy --> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="10\.0\.0\.160" protocolHeader="x-forwarded-proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" requestAttributesEnabled="true" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host>
After making this change and a restart the CAS logs began showing the client’s actual IP address.
This is my first time using HAProxy, moving forward I would like to tune the SSL based on Nathan Ollerenshaw’s post Getting an A+ with SSLLabs.
Hello thank for this tutorial
I’m deploying Haproxy Moodle and CAS authentication
Haproxy with IP public on frontend in the backend i have my moodle private IP.
In my config.php i put the public IP. It’s work well i can access to the moodle plateforme behind the ip public of my Haproxy.
But when i change the authentication manual to CAS SSO. I’m always redirect to my private ip of my moodle. And they can’t authenticate correcty! How to fix it please