cas与NGINX整合(转)
Posted LUPENG
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了cas与NGINX整合(转)相关的知识,希望对你有一定的参考价值。
http://www.cnblogs.com/richaaaard/p/5053108.html
tomcat版本: tomcat-8.0.29
jdk版本: jdk1.8.0_65
nginx版本: nginx-1.9.8
cas版本: cas4.1.2
cas-client-3.4.1
参考来源:
https://github.com/Jasig/java-cas-client
CAS (1) —— Mac下配置CAS到Tomcat(服务端)
CAS (2) —— Mac下配置CAS到Tomcat(客户端)
CAS (3) —— Mac下配置CAS客户端经代理访问Tomcat CAS
Mac为nginx安装nginx-sticky-module
【高可用HA】Nginx (1) —— Mac下配置Nginx Http负载均衡(Load Balancer)之101实例
Nginx (2) —— Mac下配置Apache Httpd的Https/SSL (待出)
目标架构
此代理非彼代理
在CAS官方网站上给出了一个“Proxy Web Flow Diagram”:
顺序图:(来源于http://jasig.github.io/cas/4.0.x/protocol/CAS-Protocol.html)
这个方案主要适用一种场景:
有两个应用App1和App2,它们都是受Cas Server保护的,即请求它们时都需要通过Cas Server的认证。现需要在App1中通过Http请求访问App2,显然该请求将会被App2配置的Cas的AuthenticationFilter拦截并转向Cas Server,Cas Server将引导用户进行登录认证,这样我们也就不能真正的访问到App2了。针对这种应用场景,Cas也提供了对应的支持。通过Proxy访问其它Cas应用
无论是用中文关键字在“度娘”,还是用英文关键字再“谷哥”上搜索,多数文章都是描述上面这样一个场景。
而我这里介绍的“代理”,并非是上述场景——依靠代理去验证ticket,“代理”在此的角色是:
- 只做分发反向代理(未来的负载均衡器)
* 注意:所以说“此代理非彼代理”
准备
要搭建上面这个环境会相对复杂,我们需要参照之前的文章准备以下必备的组件或环境:
-
2个Tomcat服务器作为客户端应用程序服务器(即cas的客户端)
app1.hoau.com:8081/8413(http/https) app2.hoau.com:8082/8423(http/https)
-
1个配置好SSL的Nginx服务器作为中间层代理转发服务器(后可扩展为LoadBalancer)
proxy.sso.hoau.com:85/443(http/https)
-
另一个1个带有SSL的Tomcat服务器作为CAS服务器
sso.hoau.com:8083/8433(http/https)
关键配置
-
代理服务器(Nginx x 1)
nginx.conf-
http
server:
server { listen 85; server_name proxy.sso.hoau.com; location / { #index index.html index.htm; #设置主机头和客户端真实地址,以便服务器获取客户端真实IP proxy_set_header Host $host; proxy_set_header Referer $http_referer; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; #禁用缓存 #proxy_buffering off; proxy_connect_timeout 3; proxy_send_timeout 30; proxy_read_timeout 30; proxy_pass http://cas_server_http; }
upstream:
upstream cas_server_http { #根据ip计算将请求分配各那个后端tomcat,许多人误认为可以解决session问题,其实并不能。 #同一机器在多网情况下,路由切换,ip可能不同 #ip_hash; #sticky; #Richard: http server localhost:8083 weight=1 srun_id=c; #server localhost:8084 weight=1 srun_id=c; jvm_route $cookie_JSESSIONID|sessionid reverse; }
*注意:
(1)以上的“jvm_route $cookie_JSESSIONID|sessionid reverse;”是关键配置,因为CAS是依赖于Session和Cookie进行身份验证的。
(2)srun_id=c,其中“c”需要与CAS服务器Tomcat server.xml文件里的jvmRoute配置“
<Engine name="Catalina" defaultHost="localhost" jvmRoute="c">”
-
https
server:
server { listen 443; server_name proxy.sso.hoau.com; ssl on; ssl_certificate /Users/Richard/Documents/Dev/servers/cluster/nginx/keys/server.crt; ssl_certificate_key /Users/Richard/Documents/Dev/servers/cluster/nginx/keys/server.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header Referer $http_referer; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-FORWARDED-HOST $server_addr; proxy_set_header X-FORWARDED-PORT $server_port; proxy_connect_timeout 3; proxy_send_timeout 30; proxy_read_timeout 30; proxy_pass https://cas_server_ssl; } }
*注意:以上的ssl为关键配置“ssl_certificate”和“ssl_certificate_key”需要指向正确的证书和密钥。
upstream:
upstream cas_server_ssl { #Richard: https todo server sso.hoau.com:8433 weight=1 srun_id=c; #server sso.hoau.com:8443 weight=1 srun_id=c; jvm_route $cookie_JSESSIONID|sessionid reverse; }
-
*注意:以上http和https可以只配一项,或两者兼存皆可,端口不要冲突。
-
CAS客户端应用服务器(Tomcat x 2)
以下客户端的蓝本可以在github上收到(关键字:“cas-sample-java-webapp”),我这里只贴出自己的关键点和修改后的结果。
CAS客户端的应用服务器有两台,如果不使用Spring Security的集成,比较关键配置就只有pom.xml(编译)和web.xml(部署):
-
两个环境编译类似,pom.xml(贴全了,有无冗余请自行解决):
*注意:以下Spring Security相关依赖为非必须
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>iamlabs.unicon.net</groupId> <artifactId>cas-sample-java-webapp</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>war</packaging> <name>CAS Example Java Web App</name> <description>A sample web application that exercises the CAS protocol features via the Java CAS Client.</description> <build> <finalName>cas-sample-java-webapp</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>2.5.1</version> <configuration> <source>1.7</source> <target>1.7</target> </configuration> </plugin> </plugins> </build> <properties> <spring.version>3.2.4.RELEASE</spring.version> <casclient.version>3.4.1</casclient.version> </properties> <dependencies> <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>1.1.1</version> </dependency> <!-- Logging --> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.7.13</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-simple</artifactId> <version>1.7.13</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.7.13</version> </dependency> <dependency> <groupId>org.opensaml</groupId> <artifactId>opensaml1</artifactId> <version>1.1</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-core</artifactId> <version>${casclient.version}</version> <exclusions> <exclusion> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.jasig.cas.client</groupId> <artifactId>cas-client-integration-tomcat-common</artifactId> <version>${casclient.version}</version> </dependency> <dependency> <
-