Re: [jetty-users] Terminate SSL at load balancer, not working

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

We are not Shibboleth support, have you tried contacting their support channels? or using the sibboleth tag on stackoverflow.com or serverfault.com ?

The fact that the directory says "embedded/jetty-base/" means that its likely NOT using the jetty-distribution, and the configuration you are doing isn't being applied like you think it is.  You'll need to understand, intimately, how Shibboleth configures itself, then you can configure it according to its techniques.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Jun 23, 2016 at 1:08 PM, Ryan Suarez <ryan.suarez@xxxxxxxxxxxxxxxxxx> wrote:

Greetings,

 I’m installing shib IdP v3.2.1 on ubuntu14.04 with jetty v9.3.9.  This will be behind load balancers, F5 bigip v11.5.3.  SSL will be terminated at the load balancer, ie:

Client —(https:443)—> F5 —(http:8080)—> IdP

I’m getting this error:

2016-06-22 08:31:53,704 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200] - Message Handler:  SAML message intended destination endpoint 'https://myidp.mydomain.ca/idp/profile/SAML2/Redirect/SSO' did not match the recipient endpoint 'http://myidp.mydomain.ca/idp/profile/SAML2/Redirect/SSO'

I’ve added the required configuration to offload TLS and the load balancer is inserting X-Forwarded-For (<clientIP) and X-Forwarded-Proto (https), but I’m still getting the error.  I’m new to jetty.  Can someone point me in the right direction?

This is my shibboleth-identity-provider-3.2.1/embedded/jetty-base/etc/jetty.xml:

    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">

      <Set name="secureScheme">https</Set>

      <Set name="securePort"><Property name="jetty.secure.port" default="443" /></Set>

      <Set name="outputBufferSize"><Property name="jetty.output.buffer.size" default="32768" /></Set>

      <Set name="requestHeaderSize"><Property name="jetty.request.header.size" default="8192" /></Set>

      <Set name="responseHeaderSize"><Property name="jetty.response.header.size" default="8192" /></Set>

      <Set name="sendServerVersion"><Property name="jetty.send.server.version" default="true" /></Set>

      <Set name="sendDateHeader"><Property name="jetty.send.date.header" default="false" /></Set>

      <Set name="headerCacheSize">512</Set>

      <Call name="addCustomizer">

        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>

      </Call>

    </New>

    <Call name="addConnector">

      <Arg>

        <New class="org.eclipse.jetty.server.ServerConnector">

          <Arg name="server"><Ref refid="Server" /></Arg>

          <Arg name="factories">

            <Array type="org.eclipse.jetty.server.ConnectionFactory">

              <Item>

                <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>

              </Item>

              <Item>

                <New class="org.eclipse.jetty.server.HttpConnectionFactory">

                  <Arg name="config"><Ref refid="httpConfig" /></Arg>

                </New>

              </Item>

            </Array>

          </Arg>

          <Set name="host"><Property name="jetty.nonhttps.host" default="localhost" /></Set>

          <Set name="port"><Property name="jetty.nonhttps.port" default="8080" /></Set>

          <Set name="idleTimeout"><Property name="http.timeout" default="30000" /></Set>

          <Set name="soLingerTime"><Property name="http.soLingerTime" default="-1"/></Set>

        </New>

      </Arg>

    </Call>

Regards,

Ryan

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users