Grouper Users - Open Discussion List

["Coleman, Erik C" <>]

Baron,

We do exactly the last part-- our TLS is terminated at the AWS App Load 
Balancer, and then everything is proxied non-SSL behind the ALB to the 
containers, with separate UI and ws container.  We're still on 2.4.0 so 
Apache is in the middle of that using AJP to Tomcat.  So ours looks something 
like:

RP: <https://grouperapp.someschool.edu/grouper> (port 443 on ALB) --> UI: 
http://ui-container-host:80 (Apache) -> http://localhost:8009 (AJP)

I think this is simplified in 2.5.x.

-Erik Coleman


-----Original Message-----
From:  
<> On Behalf Of Baron Fujimoto
Sent: Tuesday, July 14, 2020 4:25 PM
To: Grouper Users <>
Subject: Re: [grouper-users] containerized grouper noob questions

Ahh, ok. To make sure I understand, the reverse proxy listens on the standard 
port 443, and depending on the URI path routes the traffic to the appropriate 
UI or WS docker container:

RP: <https://grouper.example.edu/grouper>    (port 443) -> UI: 
http(s?)://grouper.example.edu:8080/grouper>
RP: <https://grouper.example.edu/grouper-ws> (port 443) -> WS: 
http(s?)://grouper.example.edu:8888/grouper-ws>

Currently, we terminate our TLS in the shared Tomcat servlet container. How 
do you handle this when using the reverse proxy? Do you move the TLS 
termination up to the RP and connect via http to the proxied docker 
containers?

On Mon, Jul 13, 2020 at 10:51:48PM -0400, Darren Boss wrote:
>One option would be to set up a reverse proxy in front of the 
>containers that directs traffic to the correct container based on the 
>url pattern. That reverse proxy is grouper.example.edu and it has rules 
>so traffic to /grouper goes to the ui container while /grouper-ws goes 
>to the web services container. In Kubernetes, this is a core part of 
>the platform and called the ingress controller which is typically done 
>via Nginx.
>
>On Mon, Jul 13, 2020 at 8:15 PM Baron Fujimoto <> wrote:
>>
>> On Thu, Jul 02, 2020 at 05:15:31PM -1000, Baron Fujimoto wrote:
>> >We're dipping our toes in the water of containerized Grouper, generally 
>> >upgrading from 2.2 to 2.5. Upgrade issues aside, I have some basic 
>> >questions about containerized Grouper that I hope aren't too stupid. I 
>> >poked around the Grouper doucmentation I could find but didn't find what 
>> >I was looking for – I'm happy to RTFM if someone will point me to TFM.
>> >
>>
>> Different question:
>>
>> Our current grouper UI and WS deployments share a common hostname and port 
>> (443).  E.g.:
>>
>> UI: <https://grouper.example.edu.grouper/grouper>
>> WS: <https://grouper.example.edu.grouper/grouper-ws>
>>
>> We achieve this by running both services out of a shared Tomcat servlet 
>> container. With dockerized Grouper the the best practice seems to be to 
>> run each service in its own docker container (each with its own Tomcat 
>> servlet container)?  Since each service can't listen to the same port 
>> (right?), what is the recommended way of handling this? Just having, say, 
>> the WS, listen to a different port? (Assuming we want to retain the same 
>> hostname.) E.g.:
>>
>> UI: <https://grouper.example.edu.grouper/grouper>
>> WS: <https://grouper.example.edu.grouper:9443/grouper>
>>
>> --
>> UH Information Technology Services : Identity & Access Mgmt, 
>> Middleware minutas cantorum, minutas balorum, minutas carboratum 
>> desendus pantorum
>
>
>
>--
>Darren Boss
>Senior Programmer/Analyst
>Programmeur-analyste principal
>

--
UH Information Technology Services : Identity & Access Mgmt, Middleware 
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum