Using HAProxy with CAS

We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy for the front-end so we could switch back-end services seamlessly.

We used the following HAProxy config, which allowed us to provide front-end and back-end SSL.

 log local0
 log local1 notice
 maxconn 4096
 user haproxy
 group haproxy
 tune.ssl.default-dh-param 2048
 log global
 mode http
 option httplog
 option dontlognull
 option forwardfor
 option http-server-close
 stats enable
 stats auth someuser:somepassword
 stats uri /haproxyStats
 timeout connect 5000
 timeout client 50000
 timeout server 50000

frontend http-in
 bind *:80
 reqadd X-Forwarded-Proto:\ http
 default_backend application-backend

frontend https-in
 bind *:443 ssl crt /etc/haproxy/raw.pem
 reqadd X-Forwarded-Proto:\ https
 default_backend application-backend

backend application-backend
 redirect scheme https if !{ ssl_fc }
 balance leastconn
 option httpclose
 option forwardfor
 cookie JSESSIONID prefix

 #enter the IP of your application here
 server node1 cookie A check ssl verify none

This was all that was required for proxying CAS, however, we regularly use the client IP address in the CAS logs for reporting and security. But default it will now show the client IP address as the HAProxy IP address for all visitors to the site. But because we included the “option forwardfor” flag on the back-end the client’s real IP address will be added to the HTTP request headers as:

X-Forwarded-For: x.x.x.x

Luckily, there is a Valve available to use this address as the client IP. I changed my <Host> section of tomcat/conf/server.xml to the following:

<Host name="localhost" appBase="webapps"
 unpackWARs="true" autoDeploy="true">

 <!-- Added by for HAProxy -->
 <Valve className="org.apache.catalina.valves.RemoteIpValve"
 protocolHeader="x-forwarded-proto" />

 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
 prefix="localhost_access_log" suffix=".txt"
 pattern="%h %l %u %t &quot;%r&quot; %s %b" />

After making this change and a restart the CAS logs began showing the client’s actual IP address.

This is my first time using HAProxy, moving forward I would like to tune the SSL based on Nathan Ollerenshaw’s post Getting an A+ with SSLLabs.

Leave a Reply

Your email address will not be published. Required fields are marked *