Skip to Content.
Sympa Menu

shibboleth-dev - Virtual host problem

Subject: Shibboleth Developers

List archive

Virtual host problem


Chronological Thread 
  • From: Scott Cantor <>
  • To:
  • Subject: Virtual host problem
  • Date: Tue, 27 Apr 2004 15:04:26 -0400
  • Organization: The Ohio State University
Ok, turns out there's a problem in 1.2 that is a change from 1.1, but that
only worked before by accident. I imagine this is just something every
web-iso hits, but I don't do any vhosting or proxying, so I didn't
understand the problem until now.

Apache can be told within a vhost what the name of the host and the port
should be, even if they don't match the actual data in the request. For
example:

Listen 127.0.0.1:8900
<VirtualHost 127.0.0.1:8900>
ServerName sunra.internet2.edu
Port 443
</VirtualHost>

My physical request can be to port 8900
GET HTTP/1.1
Host: localhost

Any redirects or computed URLs in Apache will be
http://sunra.internet2.edu:443

Problem being the http part. You *can't* tell Apache to use https because
the physical request on port 8900 is http, and that's the deciding factor.
This is a problem if your front-end to sunra is speaking https and proxying
the request to http on 8900.

We got around this for the SHIRE stuff in 1.1 by supporting absolute SHIRE
URLs, and we still do, but they don't work any more because in Apache 2.0,
you have to be able to check the actual request to the SHIRE and compare to
the URL you want to handle so you can skip the request in all other cases.
1.3 now works like this to keep the code aligned, so what worked in Shib 1.1
now breaks.

Independently, this all didn't work right anyway. The target parameter in
the redirect was always just http in this case and that requires ugly
work-arounds. So it only half-worked before.

We could do more bizarre comparisons to decide whether a request is really
for the SHIRE, but that doesn't solve the target problem anyway. My
suggestion is to fix the Apache bug and add our own command to httpd.conf to
force the scheme to be https in any computed URLs. That should fix both the
target value and will cause a request to
http://localhost:8900/Shibboleth.shire to be mapped internally to
https://sunra.internet2.edu/Shibboleth.shire, which should then match what
shibboleth.xml is giving us and get the handler to run when it should.

Something similar needs to happen in the ISAPI module by adding to the
<Site> entries in shibboleth.xml to fix what amounts to the same problem.
ISAPI has an API for asking "is the port secure?", but that's not always the
right question.

-- Scott


  • Virtual host problem, Scott Cantor, 04/27/2004

Archive powered by MHonArc 2.6.16.

Top of Page