I am trying to get a shibboleth set up working in a docker container behind a proxy.
Currently I am able to get redirected to the shibboleth idp page where I can enter my login details and shibboleth will authenticate me. It is failing with a 404 when it attempts to redirect back to: https://my-service.org/Shibboleth.sso/SAML2/POST
I can't tell if this is an apache issue or something with the shibboleth config.
There is a server with apache and docker running on it. The apache here is proxying traffic to the docker containers running on the same server. I have dns point a domain name to the proxy. Lets call it "my-service.org". The apache proxy config for my-service.org is as follows:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName my-service.org
ServerAdmin devs@blah.org
DocumentRoot /var/www/html/my-service
Redirect permanent / https://my-service.org/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost _default_:443>
ServerName my-service.org
ServerAdmin devs@blah.org
DocumentRoot /var/www/html/my-service
ErrorLog ${APACHE_LOG_DIR}/docker-dev/my-service.log
CustomLog ${APACHE_LOG_DIR}/docker-dev/my-service_ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/blah.crt
SSLCertificateKeyFile /etc/ssl/private/blah.key
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Forwarded-SSL expr=%{HTTPS}
ProxyPass / http://127.0.0.1:8088/
ProxyPassReverse / http://127.0.0.1:8088/
</VirtualHost>
</IfModule>
The 'my-service' container is based on the 'php:7-apache-buster' container and is running apache with shibd. It is part of a docker-compose stack. The apache config of the container is:
<VirtualHost *:80>
ServerAdmin me@blah.org
DocumentRoot /var/www/html/my-service
<Directory /var/www/html/my-service/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
<Location "/shibboleth_login.php">
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibUseHeaders On
require valid-user
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Like I said everything is working up until the point of redirection back from the shibboleth idp to the SP, where it 404s. The logs are not telling me much but there is an error log when I load the containers apache config:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.6. Set the 'ServerName' directive globally to suppress this message
I am not sure if this would have an affect of the situation.
One thing I thought may have an affect is the fact that I have shibboleth set to handle SSL:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
But my container apache config only defines a HTTP virtual host block. As you can see the proxy passes the protocol to the container via the X-Forwarded-Proto
and X-Forwarded-SSL
headers. I needed those for the 'my-service' php app but not sure if they have an affect on shibboleth. The initial interaction with the idp works fine, its just the redirection back that doesn't work.