使用 mod_auth_mellon 将 HTTPS 转换为 HTTP SAML SSO

使用 mod_auth_mellon 将 HTTPS 转换为 HTTP SAML SSO

我有一个简单的 HTTPS 到 HTTP 反向代理,使用 Apache HTTPD(CentOS)

我已经为 SAML SSO 启用了 mod_auth_mellon,如果我有一个没有任何虚拟主机的简单 http 代理,它可以正常工作。

当我启用 HTTPS 和虚拟主机时,Mellon 身份验证不起作用。首先,它没有带我进入 Okta 登录页面。

我可以看到,HTTPS -> Http 在没有 SAML SSO 的情况下可以正常工作,但是如果我启用 SAML,它就无法工作。

HTTPD 配置:

<VirtualHost example.test.io:80>
    Redirect permanent / https://example.test.io:443
</VirtualHost>

<VirtualHost example.test.io:443>

    ServerName example.test.io

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
    #ServerAdmin [email protected]

    ProxyRequests Off
    ProxyPreserveHost On

    #RewriteEngine on
    #RewriteRule ^/content/([^/]+)/(.*) /repository/$2 [R=301,L]

    MellonCacheSize 100
    MellonLockFile "/run/mod_auth_mellon/lock"
    MellonPostTTL 900
    MellonPostSize 1048576
    MellonPostCount 100

    <Location />
        Require valid-user
        AuthType "Mellon"
        MellonVariable "cookie"
        MellonSecureCookie On
        MellonCookiePath /
        MellonUser "NAME_ID"
        MellonProbeDiscoveryTimeout 30
        #MellonDiscoveryURL

        MellonEnable "auth"
        MellonEndpointPath "/sso"
        MellonSPPrivateKeyFile /etc/httpd/mellon/https__okta.key
        MellonSPCertFile /etc/httpd/mellon/https__okta.cert
        MellonSPMetadataFile /etc/httpd/mellon/https__okta.xml
        MellonIdPMetadataFile /etc/httpd/mellon/https-idp-metadata.xml

        #RequestHeader set Authorization "Basic xxx"
        RequestHeader set X-Forwarded-Proto "http"
        ProxyPass http://app.com:8081/
        ProxyPassReverse http://app.com:8081/
    </Location>

    ErrorLog /var/log/httpd/app_error.log
    CustomLog /var/log/httpd/app_access.log common

</VirtualHost>

我猜想它转到了错误的应用程序 URL 位置,然后抛出 404 错误。

有什么想法吗?

相关内容