cas 在 反向代理环境中的https 配置
cas 推荐是在https 环境中使用,之前说的只是在http环境中,配置的https 与http 大体上都是一致。 今天使用https 进行配置。
1、证书的颁发
2、服务端的配置。
3、客户端配置。
有问题欢迎学习交流。
- 描述
- user>Switch 用户端使用的是http(s),也就是两者并行
- Switch 只是做端口转发,不做其他的处理
- LBS 中配置了ssl 证书,并且做反向代理,支持http与https两种方式,
- LBS>Server 都是使用的http ,也就是说server 中的服务不做ssl处理 -
- 存在的问题就是:因为在内外中都是使用的http ,所以tomcat 中不能获获取到https,仅仅能获取到http://SERVER_HOST: PORT/xxx ,这样的请求地址,会导致server 中地址解析异常。
1. 证书安装
linux 下nginx与openssl 搭建https 服务器 subversion https 服务器 如果有其他问题可以直接百度,有很多相关的资料的
在nginx 配置中添加 添加的原因 在后面的tomcat配置中。
- proxy_set_header x-real-ip remoteaddr;−proxysetheaderx−forwarded−for proxy_add_x_forwarded_for;
- proxy_set_header x-forwarded-host serveraddr;−proxysetheaderx−forwarded−port server_port;
- proxy_set_header x-forwarded-proto https;
2、服务端配置
- 服务端的配置相对来说比较简单,就是将修改为http 的修改回去就好了
WEB-INF/spring-configuration/ticketGrantingTicketCookieGenerator.xml
<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" c:casCookieValueManager-ref="cookieValueManager" p:cookieSecure="true" p:cookieMaxAge="-1" p:cookieName="TGC" p:cookiePath=""/>- 认证处理配置 WEB-INF/deployerConfigContext.xml
<bean id="proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:requireSecure="false" p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" />3、客户端配置
客户端主要的是配置就是web.xml,里面修改相应的地址就好了.但是 SingleSignOutFilter 与 Cas20ProxyReceivingTicketValidationFilter 的配置 casServerUrlPrefix 不要修改, 原因是casserver 与server 是处于内容之中,内网中使用的是http 的方式,不存在http 的访问方式。所以不能使用https 的方式访问,如果将证书放在tomcat 下,这个配置也是需要修改的。
<filter>
<filter-name>CAS Authentication Filterfilter-name>
<filter-class>com.ym.system.filter.AuthenticationFilterfilter-class>
<init-param>
<param-name>casServerLoginUrlparam-name>
<param-value>https://test.com/cas/loginparam-value>
init-param>
<init-param>
<param-name>casServerLogoutUrlparam-name>
<param-value>https://test.com/cas/logoutparam-value>
init-param>
<init-param>
<param-name>serverNameparam-name>
<param-value>test.comparam-value>
init-param>
<init-param>
<param-name>ignorePatternparam-name>
<param-value>^.*[.](js|css|gif|png|zip)$param-value>
init-param>
filter>
<filter>
<filter-name>CAS Single Sign Out Filterfilter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilterfilter-class>
<init-param>
<param-name>casServerUrlPrefixparam-name>
<param-value>http://test.com/casparam-value>
init-param>
filter>
<filter>
<filter-name>CAS Validation Filterfilter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilterfilter-class>
<init-param>
<param-name>casServerUrlPrefixparam-name>
<param-value>http://127.0.0.1:8443/casparam-value>
init-param>
<init-param>
<param-name>serverNameparam-name>
<param-value>test.comparam-value>
init-param>
<init-param>
<param-name>redirectAfterValidationparam-name>
<param-value>trueparam-value>
init-param>
<init-param>
<param-name>acceptAnyProxyparam-name>
<param-value>falseparam-value>
init-param>
<init-param>
<param-name>useSessionparam-name>
<param-value>trueparam-value>
init-param>
<init-param>
<param-name>encodingparam-name>
<param-value>utf-8param-value>
init-param>
filter>
客户端与服务端配置就这么多。
- 在上面的架构中,服务器是不能获取到外网请求的信息的,所以我们需要在lbs 上进行处理。也就是前面提到的nginx 添加的参数,但是仅仅有那个参数是不行的,还需要在tomcat中进行配置。
- 在tomcat 的server.xml 中添加RemoteIpValve ,目的是在使用代理的时候,获取代理的头中的配置信息,这样tomcat 就能获取到正确的请求地址,不会造成混乱。
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />
nginx 配置实例
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status<$sent_http_location> $body_bytes_sent "$http_referer" '
'"$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
autoindex on; # 显示目录
autoindex_exact_size on; # 显示文件大小
autoindex_localtime on; # 显示文件时间
}
location /cas {
proxy_pass http://127.0.0.1:8443;
}
location /ym1 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_pass http://127.0.0.1:8080;
}
location /ym2 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-FORWARDED-HOST $server_addr;
proxy_set_header X-FORWARDED-PORT $server_port;
proxy_set_header x-forwarded-proto http;
proxy_pass http://127.0.0.1:8081;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
#
server {
listen 443;
server_name localhost;
ssl on ;
ssl_certificate test.crt;
ssl_certificate_key test_nopass.key;
# ssl_session_timeout 5m;
# ssl_session_cache shared:SSL:1m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
autoindex on; # 显示目录
autoindex_exact_size on; # 显示文件大小
autoindex_localtime on; # 显示文件时间
}
location /cas {
proxy_pass http://127.0.0.1:8443;
}
location /ym1 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-host $server_addr;
proxy_set_header x-forwarded-port $server_port;
proxy_set_header x-forwarded-proto https;
proxy_pass http://127.0.0.1:8080;
}
location /ym2 {
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header x-forwarded-host $server_addr;
proxy_set_header x-forwarded-port $server_port;
proxy_set_header x-forwarded-proto https;
proxy_pass http://127.0.0.1:8081;
}
}
}
相关技术网站:
- Handling X-FORWARDED-PROTO in java apache-tomcat
- tomcat RemoteIpValve API
- tomcat架构分析(valve机制)