I encountered this issue after setting SERVER_SSL_ENABLED to "false" and
SERVER_PORT to "8080".
This happened while using F5 and Kubernetes Ingress with Apereo CAS version
6.6.7.
I was able to solve the problem by adding the following line to the
application.properties file:
server.forward-headers-strategy=framework
Hope this helps someone!
Düşünme sürecini göster
9 Kasım 2023 Perşembe tarihinde saat 08:51:14 UTC+3 itibarıyla Meysam
Shirazi şunları yazdı:
> I did not test it by myself because I'm not using embedded tomcat, anyway
> the main config was server.tomcat.redirect-context-root = false and the
> /hweproxy
> was a sample config so you should replace your context path.
> I think including "/themes/**" pattern is the best way in this situation.
>
> On Wednesday, November 8, 2023 at 11:59:57 PM UTC+3:30 atilling wrote:
>
>> I know the F5 is sending x-forwarded-proto, x-forwarded-port,
>> x-forwarded-by, and x-forwarded-for
>>
>> I tried the setting you suggested from that case |
>> server.servlet.context-path = /hweproxy | breaks the application
>> altogether, the other settings seem to have no effect.
>>
>>
>> Looking at CasWebSecurityConfigurerAdapter in GIT it looks like cas 7 has
>> | patterns.add("/themes/**"); | but cas 6.6.x does not. I thinking the only
>> fix is to add my
>> own org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter to my
>> overlay that includes the "/themes/**" pattern?
>>
>>
>>
>>
>> On Tuesday, November 7, 2023 at 10:25:45 PM UTC-5 Meysam Shirazi wrote:
>>
>>> For embedded tomcat in Spring boot it seams that tomcat ignor
>>> x-forward-* setting for the redirect so you have to disable context
>>> path redirects so based on this issue
>>> <https://github.com/spring-projects/spring-boot/issues/22908> (I don't
>>> test it by myself)you can use these setting:
>>> server.port = 8081
>>> server.servlet.context-path = /hweproxy
>>> server.forward-headers-strategy = native
>>> server.tomcat.redirect-context-root = false
>>>
>>> You can disable root redirect by
>>> mapperContextRootRedirectEnabled="false" on the context too
>>> <https://stackoverflow.com/questions/56430476/spring-boot-application-with-embedded-tomcat-behind-reverse-proxy-not-redirectin>
>>> .
>>> I used Nginx as a revers proxy without any problem but I can set
>>> X-Forward-* headers in proxy config, but about F5 I don't know what's
>>> happen there because I don't have any access on it! :))
>>>
>>>
>>> On Tuesday, November 7, 2023 at 9:16:12 PM UTC+3:30 atilling wrote:
>>>
>>>> We're using the embedded tomcat with the settings:
>>>>
>>>> server.port=8080
>>>> server.ssl.enabled=false
>>>> server.tomcat.remoteip.port-header=x-forwarded-port
>>>> server.tomcat.remoteip.protocol-header=x-forwarded-proto
>>>> server.tomcat.remoteip.remote-ip-header=x-forwarded-for
>>>>
>>>> Can I add those tomcat settings to the embedded tomcat?
>>>>
>>>> Our CSS is in /etc/cas/static/themes/ccmain
>>>>
>>>> and we have the setting for the path in cas.properties
>>>>
>>>> cas.theme.paramName=cc_main
>>>> cas.theme.defaultThemeName=cc_main
>>>> #externalize templates
>>>> spring.thymeleaf.prefix=file:/etc/cas/templates/
>>>> spring.web.resources.static-locations=classpath:/META-INF/resources/, \
>>>> classpath:/resources/,classpath:/static/, \
>>>> classpath:/public/,file:/etc/cas/templates/,file:/etc/cas/static/
>>>>
>>>> I do not understand why it works on 8080 but not on the F5 pulling 8080
>>>> to 443, what is triggering redirects when the traffic comes through the F5?
>>>>
>>>>
>>>> On Tuesday, November 7, 2023 at 7:18:04 AM UTC-5 Meysam Shirazi wrote:
>>>>
>>>>> As Ray said it's because you use custom theme and /themes/** is not
>>>>> define in list of excluded endpoints from web security, so Spring
>>>>> Security
>>>>> redirect the request to secure channel it means redirect to port
>>>>> 8443(default port) that does not exist in your situation!
>>>>> I think there are multiple way to deal with:
>>>>>
>>>>> - adding /themes/** to URL map in
>>>>> CasWebSecurityConfigurerAdapter to exclude/ignore from web security
>>>>> - copy static resource from /themes/custom to static folder
>>>>> - and the best way if you deploy CAS on tomcat is you tell tomcat
>>>>> about the proxy:
>>>>>
>>>>> [image: tomcat_proxy.PNG]
>>>>>
>>>>> On Monday, November 6, 2023 at 9:22:15 PM UTC+3:30 atilling wrote:
>>>>>
>>>>>> VIP only connects external 443 to 8080 at the cas servers
>>>>>> We have the same config with our production cas 5.1.x servers and CSS
>>>>>> is displaying fine.
>>>>>>
>>>>>> On Friday, November 3, 2023 at 6:19:18 PM UTC-4 Ray Bon wrote:
>>>>>>
>>>>>>> I see /css/** in my startup but not /themes/**. That could be
>>>>>>> because we have no custom theme.
>>>>>>> Could it be a problem with a rewrite rule in VIP?
>>>>>>>
>>>>>>> Ray
>>>>>>>
>>>>>>> On Fri, 2023-11-03 at 07:24 -0700, atilling wrote:
>>>>>>>
>>>>>>> Notice: This message was sent from outside the University of
>>>>>>> Victoria email system. Please be cautious with links and sensitive
>>>>>>> information.
>>>>>>>
>>>>>>> There is nothing on the VIP that specifies any security for any URI.
>>>>>>>
>>>>>>>
>>>>>>> The developer console shows that cas.css is redirecting to cas.css,
>>>>>>>
>>>>>>> [image: Screenshot 2023-11-03 at 10.22.53 AM.png]
>>>>>>>
>>>>>>> During startup I'm seeing:
>>>>>>>
>>>>>>> INFO [org.springframework.security.web.DefaultSecurityFilterChain] -
>>>>>>> <Will not secure Ant [pattern='/css/**']>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thursday, November 2, 2023 at 3:22:24 PM UTC-4 Ray Bon wrote:
>>>>>>>
>>>>>>> Is it possible that vip...themes is protected/secured and needs
>>>>>>> login to access?
>>>>>>> Check your developer console to see where the redirects are going.
>>>>>>> Check cas logs to see which URIs are unprotected (shows on startup).
>>>>>>>
>>>>>>> Ray
>>>>>>>
>>>>>>> On Thu, 2023-11-02 at 09:24 -0700, atilling wrote:
>>>>>>>
>>>>>>> Notice: This message was sent from outside the University of
>>>>>>> Victoria email system. Please be cautious with links and sensitive
>>>>>>> information.
>>>>>>>
>>>>>>>
>>>>>>> Offloading SSL to F5 BigIP
>>>>>>> In cas.properties we have:
>>>>>>> server.port=8080
>>>>>>> server.ssl.enabled=false
>>>>>>>
>>>>>>> if we go to https://node.domain.tld:8080/cas/login the page
>>>>>>> displays fine and the CSS is loaded
>>>>>>>
>>>>>>> if we go to https://vip.domain.tld/cas/login the page displays but
>>>>>>> the CSS is not loaded
>>>>>>>
>>>>>>> https://node.domain.tld:8080/cas/login/themes/cc_main/css/cas.css
>>>>>>> loads fine
>>>>>>>
>>>>>>> https://vip.domain.tld/cas/login/themes/cc_main/css/cas.css throws
>>>>>>> the error ERR_TOO_MANY_REDIRECTS
>>>>>>>
>>>>>>> Tried adding
>>>>>>> server.tomcat.remoteip.port-header=x-forwarded-port
>>>>>>> server.tomcat.remoteip.protocol-header=x-forwarded-proto
>>>>>>> server.tomcat.remoteip.remote-ip-header=x-forwarded-for
>>>>>>>
>>>>>>> And there was no change.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fe0dd256-8aeb-4ee5-9521-1f3bff69ca74n%40apereo.org.
