1

I have Apache/Shibboleth serving requests to a reverse proxy and directly to web clients. When a request comes through the proxy I extract the original IP address and attempt to send it to shibboleth. However, this does not appear to be working correctly. It still gives me an error that the IP address doesn't match the one used when authenticated with the IdP.

I have the following Location block in my apache config. I know that REMOTE_ADDR is at least getting sent to shibd since when I set it to X-Forwarded-For the error includes the entire chain of proxy IPs but the following doesn't work and just shows the last proxy's IP address as not matching the authed IP.

<Location />
    SetEnvIf X-FORWARDED-FOR "^.+$" DenyRequest
    SetEnvIf Remote_Addr "^XXX\.XXX\.XXX\.XXX$" !DenyRequest
    Order allow,deny
    Deny from env=DenyRequest
    Allow from all
    SetEnvIf Remote_Addr "^(.+)$" RealAddress=$1
    SetEnvIf X-Forwarded-For "^(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+).*" RealAddress=$1
    RequestHeader set X-RealAddress %{RealAddress}e
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    ShibRequestSetting REMOTE_ADDR X-RealAddress
    Require user
</Location>
Argothian
  • 33
  • 7
  • Could you clarify what isn't working? And which environment variables are for which proxies? If you only have 1 proxy, `ShibRequestSetting REMOTE_ADDR X-RealAddress` should be all you need. If you only have one proxy, what's with `X-RealAddress`, `X-Forwarded-For`, and `Remote_Addr`? You shouldn't need to set anything. – Martin Nov 28 '14 at 16:06
  • There's only one proxy but not all traffic gets routed through the proxy. Some traffic hits apache directly. So I can't trust X-Forwarded-For since it could be spoofed. What's not working is that while the X-RealAddress header is set correctly Shibboleth doesn't use it. – Argothian Dec 01 '14 at 17:55
  • If you're configuring the SP to use X-RealAddress, and you are *sure* it is being passed to Tomcat/Jetty (Apache likes to filter these things), then you probably need to seek support from the shibboleth-users listserv. I'd recommend installing a jsp page that dumps all headers, and be sure it's actually available first, though. – Martin Dec 04 '14 at 03:21

0 Answers0