We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy for the front-end so we could switch back-end services seamlessly.
We used the following HAProxy config, which allowed us to provide front-end and back-end SSL.
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull option forwardfor option http-server-close stats enable stats auth someuser:somepassword stats uri /haproxyStats timeout connect 5000 timeout client 50000 timeout server 50000 frontend http-in bind *:80 reqadd X-Forwarded-Proto:\ http default_backend application-backend frontend https-in bind *:443 ssl crt /etc/haproxy/raw.pem reqadd X-Forwarded-Proto:\ https default_backend application-backend backend application-backend redirect scheme https if !{ ssl_fc } balance leastconn option httpclose option forwardfor cookie JSESSIONID prefix #enter the IP of your application here server node1 10.0.0.113:443 cookie A check ssl verify none
This was all that was required for proxying CAS, however, we regularly use the client IP address in the CAS logs for reporting and security. But default it will now show the client IP address as the HAProxy IP address for all visitors to the site. But because we included the “option forwardfor” flag on the back-end the client’s real IP address will be added to the HTTP request headers as:
X-Forwarded-For: x.x.x.x
Luckily, there is a Valve available to use this address as the client IP. I changed my <Host> section of tomcat/conf/server.xml to the following:
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <!-- Added by for HAProxy --> <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="10\.0\.0\.160" protocolHeader="x-forwarded-proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" requestAttributesEnabled="true" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host>
After making this change and a restart the CAS logs began showing the client’s actual IP address.
This is my first time using HAProxy, moving forward I would like to tune the SSL based on Nathan Ollerenshaw’s post Getting an A+ with SSLLabs.