search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

FastCGI Shibboleth responder should only be used for Shibboleth protocol requests - question #39

Closed danielc103 closed 4 years ago

danielc103 commented 4 years ago

Description the bug

Error : FastCGI Shibboleth responder should only be used for Shibboleth protocol requests. Receiving above error on port 8443 with SSL configured. This instance sits inside OpenShift.

Expected behaviour

No fastcgi error

Setup & Logs

please note on earlier issue I fat fingered fake values to protect info, I apologize. I was more careful this time around

shibboleth2.xml

   <!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="XML">
        <RequestMap applicationId="default"
                    authType="shibboleth">
            <Host scheme="https" name="testdevguide.edu" port="8443"
                  requireSession="true">
                  <Path name="/secure"></Path>
            </Host>
        </RequestMap>
    </RequestMapper>

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://testdevguide.edu/shibboleth"
                         REMOTE_USER="eppn"
                         id="default"
                         policyId="default"
                         signing="true"
                         encryption="true">

        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="https://testdevguide.edu/Shibboleth.sso" handlerSSL="true"
                redirectLimit="host+whitelist" redirectWhitelist="https://shib.edu/"
                exportLocation="http://localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
                idpHistory="false" idpHistoryDays="7" cookieProps="https">
server {
    listen 8443 ssl;

    ssl_certificate /etc/ssl/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/nginx-selfsigned.key;

    # server_name is important because it is used by shibboleth for generating SAML URLs
    # Using the catch-all '_' will NOT work.
    server_name testdevguide.edu;

    # FastCGI authorizer for Auth Request module
    location = /shibauthorizer {
        internal;
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibauthorizer.sock;
    }

    # FastCGI responder
    location /Shibboleth.sso {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/shibresponder.sock;
    }

    # Resources for the Shibboleth error pages. This can be customised.
    location /shibboleth-sp {
        alias /etc/shibboleth/;
    }

    location /secure {

            more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';

            more_clear_input_headers 'displayName' 'mail' 'persistent-id';
            shib_request /shibauthorizer;

            root   /usr/share/nginx/html;
            index  index.html index.htm;
    }
}

logs

[debug] 24#0: *1 http client request body preread 7903
[debug] 24#0: *1 http request body content length filter
[debug] 24#0: *1 http body new buf t:1 f:0 000055DB3D51B711, pos 000055DB3D51B711, size: 7903 file: 0, size: 0
[debug] 24#0: *1 malloc: 000055DB3D4C1020:5049
[debug] 24#0: *1 http read client request body
[debug] 24#0: *1 SSL_read: 5049
[debug] 24#0: *1 http client request body recv 5049
[debug] 24#0: *1 http body new buf t:1 f:0 000055DB3D4C1020, pos 000055DB3D4C1020, size: 5049 file: 0, size: 0
[debug] 24#0: *1 http client request body rest 0
[debug] 24#0: *1 http init upstream, client timer: 0
[debug] 24#0: *1 posix_memalign: 000055DB3D5174A0:4096 @16
[debug] 24#0: *1 http script copy: "QUERY_STRING"
[debug] 24#0: *1 fastcgi param: "QUERY_STRING: "
[debug] 24#0: *1 http script copy: "REQUEST_METHOD"
[debug] 24#0: *1 http script var: "POST"
[debug] 24#0: *1 fastcgi param: "REQUEST_METHOD: POST"
[debug] 24#0: *1 http script copy: "CONTENT_TYPE"
[debug] 24#0: *1 http script var: "application/x-www-form-urlencoded"
[debug] 24#0: *1 fastcgi param: "CONTENT_TYPE: application/x-www-form-urlencoded"
[debug] 24#0: *1 http script copy: "CONTENT_LENGTH"
[debug] 24#0: *1 http script var: "12952"
[debug] 24#0: *1 fastcgi param: "CONTENT_LENGTH: 12952"
[debug] 24#0: *1 http script copy: "SCRIPT_NAME"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "SCRIPT_NAME: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "REQUEST_URI"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "REQUEST_URI: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "DOCUMENT_URI"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "DOCUMENT_URI: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "DOCUMENT_ROOT"
[debug] 24#0: *1 http script var: "/etc/nginx/html"
[debug] 24#0: *1 fastcgi param: "DOCUMENT_ROOT: /etc/nginx/html"
[debug] 24#0: *1 http script copy: "SERVER_PROTOCOL"
[debug] 24#0: *1 http script var: "HTTP/1.1"
[debug] 24#0: *1 fastcgi param: "SERVER_PROTOCOL: HTTP/1.1"
[debug] 24#0: *1 http script copy: "REQUEST_SCHEME"
[debug] 24#0: *1 http script var: "https"
[debug] 24#0: *1 fastcgi param: "REQUEST_SCHEME: https"
[debug] 24#0: *1 http script copy: "HTTPS"
[debug] 24#0: *1 http script var: "on"
[debug] 24#0: *1 fastcgi param: "HTTPS: on"
[debug] 24#0: *1 http script copy: "GATEWAY_INTERFACE"
[debug] 24#0: *1 http script copy: "CGI/1.1"
[debug] 24#0: *1 fastcgi param: "GATEWAY_INTERFACE: CGI/1.1"
[debug] 24#0: *1 http script copy: "SERVER_SOFTWARE"
[debug] 24#0: *1 http script copy: "nginx/"
[debug] 24#0: *1 http script var: "1.16.0"
[debug] 24#0: *1 fastcgi param: "SERVER_SOFTWARE: nginx/1.16.0"
[debug] 24#0: *1 http script copy: "REMOTE_ADDR"
[debug] 24#0: *1 http script var: "10.131.10.1"
[debug] 24#0: *1 fastcgi param: "REMOTE_ADDR: 10.131.10.1"
[debug] 24#0: *1 http script copy: "REMOTE_PORT"
[debug] 24#0: *1 http script var: "37924"
[debug] 24#0: *1 fastcgi param: "REMOTE_PORT: 37924"
[debug] 24#0: *1 http script copy: "SERVER_ADDR"
[debug] 24#0: *1 http script var: "10.129.10.87"
[debug] 24#0: *1 fastcgi param: "SERVER_ADDR: 10.129.10.87"
[debug] 24#0: *1 http script copy: "SERVER_PORT"
[debug] 24#0: *1 http script var: "8443"
[debug] 24#0: *1 fastcgi param: "SERVER_PORT: 8443"
[debug] 24#0: *1 http script copy: "SERVER_NAME"
[debug] 24#0: *1 http script var: "testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "SERVER_NAME: testdevguide.edu"
[debug] 24#0: *1 http script copy: "REDIRECT_STATUS"
[debug] 24#0: *1 http script copy: "200"
[debug] 24#0: *1 fastcgi param: "REDIRECT_STATUS: 200"
[debug] 24#0: *1 fastcgi param: "HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.5"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT_ENCODING: gzip, deflate, br"
[debug] 24#0: *1 fastcgi param: "HTTP_REFERER: https://shib.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLLUsIwFIZfpZM9TW9YyFBmEBYyg9Kh1YUbJzQHmjEkNSdFfXvLRcGN4zr%2FJf83Z4R8pxo2aV2tV%2FDWAjrvY6c0suNDRlqrmeEokWm%2BA2SuYsXkfsEiP2CNNc5URhFvggjWSaOnRmO7A1uA3csKHleLjNTONcgodV24gP22lQJ8UzW%2BqMEX7Sv4IFpa1HK9Ngpc7SMaeiiJaL4sSuLNOqPU%2FJB%2FScNO7xvpLglSNLT70kYqONtXIKSFytGiWBJvPsvISxwn%2FaRKNn0epcDTIE3jQbpJkjAEEQ8EdDLEFuYaHdcuI1EQDnvBsBcFZXjDwj5L0mfi5eflt1ILqbd%2FY1qfRMjuyjLvnSY9gcXjnE5AxqMDbHYstlf4%2F47l38zJ%2BH%2BE8YfwiF4Vntob9tA1zGe5UbL69CZKmfepBe4gIyGh45Pl96WMvwA%3D&RelayState=https%3A%2F%2Ftestdevguide.edu%3A8443%2Fsecure "
[debug] 24#0: *1 fastcgi param: "HTTP_CONTENT_TYPE: application/x-www-form-urlencoded"
[debug] 24#0: *1 fastcgi param: "HTTP_CONTENT_LENGTH: 12952"
[debug] 24#0: *1 fastcgi param: "HTTP_COOKIE: _ga=GA1.2.1399869529.1558006746"
[debug] 24#0: *1 fastcgi param: "HTTP_UPGRADE_INSECURE_REQUESTS: 1"
[debug] 24#0: *1 fastcgi param: "HTTP_HOST: testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_HOST: testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_PORT: 443"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_PROTO: https"
[debug] 24#0: *1 fastcgi param: "HTTP_FORWARDED: for=10.18.248.34;host=testdevguide.edu;proto=https;proto-version="
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_FOR: 10.18.248.34"
[debug] 24#0: *1 http cleanup add: 000055DB3D4C8BB8
[debug] 24#0: *1 get rr peer, try: 1
[debug] 24#0: *1 stream socket 11
[debug] 24#0: *1 epoll add connection: fd:11 ev:80002005
[debug] 24#0: *1 connect to unix:/tmp/shibresponder.sock, fd:11 #3
[debug] 24#0: *1 connected
[debug] 24#0: *1 http upstream connect: 0
[debug] 24#0: *1 posix_memalign: 000055DB3D4C0660:128 @16
[debug] 24#0: *1 http upstream send request
[debug] 24#0: *1 http upstream send request body
[debug] 24#0: *1 chain writer buf fl:0 s:1848
[debug] 24#0: *1 chain writer buf fl:0 s:7903
[debug] 24#0: *1 chain writer buf fl:0 s:9
[debug] 24#0: *1 chain writer buf fl:0 s:5049
[debug] 24#0: *1 chain writer buf fl:0 s:15
[debug] 24#0: *1 chain writer in: 000055DB3D4C8C48
[debug] 24#0: *1 writev: 14824 of 14824
[debug] 24#0: *1 chain writer out: 0000000000000000
[debug] 24#0: *1 event timer add: 11: 60000:11670453755
[debug] 24#0: *1 http finalize request: -4, "/Shibboleth.sso/SAML2/POST?" a:1, c:2
[debug] 24#0: *1 http request count:2 blk:0
[debug] 24#0: *1 http run request: "/Shibboleth.sso/SAML2/POST?"
[debug] 24#0: *1 http upstream check client, write event:1, "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http upstream request: "/Shibboleth.sso/SAML2/POST?"
[debug] 24#0: *1 http upstream dummy handler
10.131.10.1 - - [20/Sep/2019:16:15:47 +0000] "POST /Shibboleth.sso/SAML2/POST HTTP/1.1" 500 119 "https://shib.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLLUsIwFIZfpZM9TW9YyFBmEBYyg9Kh1YUbJzQHmjEkNSdFfXvLRcGN4zr%2FJf83Z4R8pxo2aV2tV%2FDWAjrvY6c0suNDRlqrmeEokWm%2BA2SuYsXkfsEiP2CNNc5URhFvggjWSaOnRmO7A1uA3csKHleLjNTONcgodV24gP22lQJ8UzW%2BqMEX7Sv4IFpa1HK9Ngpc7SMaeiiJaL4sSuLNOqPU%2FJB%2FScNO7xvpLglSNLT70kYqONtXIKSFytGiWBJvPsvISxwn%2FaRKNn0epcDTIE3jQbpJkjAEEQ8EdDLEFuYaHdcuI1EQDnvBsBcFZXjDwj5L0mfi5eflt1ILqbd%2FY1qfRMjuyjLvnSY9gcXjnE5AxqMDbHYstlf4%2F47l38zJ%2BH%2BE8YfwiF4Vntob9tA1zGe5UbL69CZKmfepBe4gIyGh45Pl96WMvwA%3D&RelayState=https%3A%2F%2Ftestdevguide.edu%3A8443%2Fsecure " "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0"
[debug] 24#0: *1 http upstream request: "/Shibboleth.sso/SAML2/POST?"
[debug] 24#0: *1 http upstream process header
[debug] 24#0: *1 malloc: 000055DB3D5184B0:4096
[debug] 24#0: *1 recv: eof:1, avail:1
[debug] 24#0: *1 recv: fd:11 248 of 4096
[debug] 24#0: *1 http fastcgi record length: 44
[error] 24#0: *1 FastCGI sent in stderr: "shib: doHandler failed to handle the request" while reading response header from upstream, client: 10.131.10.1, server: testdevguide.edu, request: "POST /Shibboleth.sso/SAML2/POST HTTP/1.1", upstream: "fastcgi://unix:/tmp/shibresponder.sock:", host: "testdevguide.edu", referrer: "https://shib.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLLUsIwFIZfpZM9TW9YyFBmEBYyg9Kh1YUbJzQHmjEkNSdFfXvLRcGN4zr%2FJf83Z4R8pxo2aV2tV%2FDWAjrvY6c0suNDRlqrmeEokWm%2BA2SuYsXkfsEiP2CNNc5URhFvggjWSaOnRmO7A1uA3csKHleLjNTONcgodV24gP22lQJ8UzW%2BqMEX7Sv4IFpa1HK9Ngpc7SMaeiiJaL4sSuLNOqPU%2FJB%2FScNO7xvpLglSNLT70kYqONtXIKSFytGiWBJvPsvISxwn%2FaRKNn0epcDTIE3jQbpJkjAEEQ8EdDLEFuYaHdcuI1EQDnvBsBcFZXjDwj5L0mfi5eflt1ILqbd%2FY1qfRMjuyjLvnSY9gcXjnE5AxqMDbHYstlf4%2F47l38zJ%2BH%2BE8YfwiF4Vntob9tA1zGe5UbL69CZKmfepBe4gIyGh45Pl96WMvwA%3D&RelayState=https%3A%2F%2Ftestdevguide.edu%3A8443%2Fsecure "
[error] 24#0: *1 FastCGI sent in stderr: "
" while reading response header from upstream, client: 10.131.10.1, server: testdevguide.edu, request: "POST /Shibboleth.sso/SAML2/POST HTTP/1.1", upstream: "fastcgi://unix:/tmp/shibresponder.sock:", host: "testdevguide.edu", referrer: "https://shib.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZLLUsIwFIZfpZM9TW9YyFBmEBYyg9Kh1YUbJzQHmjEkNSdFfXvLRcGN4zr%2FJf83Z4R8pxo2aV2tV%2FDWAjrvY6c0suNDRlqrmeEokWm%2BA2SuYsXkfsEiP2CNNc5URhFvggjWSaOnRmO7A1uA3csKHleLjNTONcgodV24gP22lQJ8UzW%2BqMEX7Sv4IFpa1HK9Ngpc7SMaeiiJaL4sSuLNOqPU%2FJB%2FScNO7xvpLglSNLT70kYqONtXIKSFytGiWBJvPsvISxwn%2FaRKNn0epcDTIE3jQbpJkjAEEQ8EdDLEFuYaHdcuI1EQDnvBsBcFZXjDwj5L0mfi5eflt1ILqbd%2FY1qfRMjuyjLvnSY9gcXjnE5AxqMDbHYstlf4%2F47l38zJ%2BH%2BE8YfwiF4Vntob9tA1zGe5UbL69CZKmfepBe4gIyGh45Pl96WMvwA%3D&RelayState=https%3A%2F%2Ftestdevguide.edu%3A8443%2Fsecure "
[debug] 24#0: *1 http fastcgi parser: 0
[debug] 24#0: *1 http fastcgi header: "Status: 500 Server Error"
[debug] 24#0: *1 http fastcgi parser: 1
[debug] 24#0: *1 http fastcgi header done
[debug] 24#0: *1 HTTP/1.1 500 Server Error
Server: nginx/1.16.0
Date: Fri, 20 Sep 2019 16:15:47 GMT
Transfer-Encoding: chunked

Versions and Systems

$ nginx -v
nginx version: nginx/1.16.0
$ shibd -v
shibboleth 3.0.4

Additional context

Port 8443 just allows access and not take me to the login screen unless ssl is configured and port 8080 takes me to the login screen but throws the "FastCGI Shibboleth responder should only be used for Shibboleth protocol requests."

I needed to add an absolute handlerURL because I can not expose ports on Openshift routes and Shibboleth config generates the ACS from scheme+vhost+port. This would fail was there is no way to reach this generated redirect. However once I hard coded the handlerURL the ACS gets through.

I assumed the issue at this point was that the handerlURL was https so it was expecting a secure connection, and after reading the issues regarding the above mentioned Shibboleth error, I changed the port to 8443 and implemented SSL on that port to no avail.

I've read through issues

22

25

38

And combed through the mailing list for some mention of cloud deployment and proxy issues that might have resolution. If they are there I've failed miserably at finding them.

If you need more logs or questions on what I've tried (I think everything!) Please ask. Any help is greatly appreciated.

vguaglione commented 4 years ago

I have the same issue. Also looking for assistance.

davidjb commented 4 years ago

@danielc103 What does your fastcgi_params file look like? Given the response you're seeing from shibresponder (which corresponds to line 365 in the source, it appears as though something's up with the request before it reaches this point (eg incorrect FastCGI request environment).

If you try loading other /Shibboleth.sso/* URLs, like /Shibboleth.sso/Login do you see the same 500 error and response?

You can also try overriding the server name, scheme and port via shell-level environment variables (details) -- worth a try to see if that makes a difference for you as a temporary solution.

danielc103 commented 4 years ago

I'm not setting any extra/different fastcgi_params in nginx block.

I am getting the same 500 error and response on my all /Shibboleth.sso/* calls. The login will originally take me to my login page, but then returns after login to 500 error. 

[debug] 24#0: *1 http script copy: "QUERY_STRING"
[debug] 24#0: *1 fastcgi param: "QUERY_STRING: "
[debug] 24#0: *1 http script copy: "REQUEST_METHOD"
[debug] 24#0: *1 http script var: "POST"
[debug] 24#0: *1 fastcgi param: "REQUEST_METHOD: POST"
[debug] 24#0: *1 http script copy: "CONTENT_TYPE"
[debug] 24#0: *1 http script var: "application/x-www-form-urlencoded"
[debug] 24#0: *1 fastcgi param: "CONTENT_TYPE: application/x-www-form-urlencoded"
[debug] 24#0: *1 http script copy: "CONTENT_LENGTH"
[debug] 24#0: *1 http script var: "12955"
[debug] 24#0: *1 fastcgi param: "CONTENT_LENGTH: 12955"
[debug] 24#0: *1 http script copy: "SCRIPT_NAME"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "SCRIPT_NAME: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "REQUEST_URI"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "REQUEST_URI: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "DOCUMENT_URI"
[debug] 24#0: *1 http script var: "/Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 fastcgi param: "DOCUMENT_URI: /Shibboleth.sso/SAML2/POST"
[debug] 24#0: *1 http script copy: "DOCUMENT_ROOT"
[debug] 24#0: *1 http script var: "/etc/nginx/html"
[debug] 24#0: *1 fastcgi param: "DOCUMENT_ROOT: /etc/nginx/html"
[debug] 24#0: *1 http script copy: "SERVER_PROTOCOL"
[debug] 24#0: *1 http script var: "HTTP/1.1"
[debug] 24#0: *1 fastcgi param: "SERVER_PROTOCOL: HTTP/1.1"
[debug] 24#0: *1 http script copy: "REQUEST_SCHEME"
[debug] 24#0: *1 http script var: "https"
[debug] 24#0: *1 fastcgi param: "REQUEST_SCHEME: https"
[debug] 24#0: *1 http script copy: "HTTPS"
[debug] 24#0: *1 http script var: "on"
[debug] 24#0: *1 fastcgi param: "HTTPS: on"
[debug] 24#0: *1 http script copy: "GATEWAY_INTERFACE"
[debug] 24#0: *1 http script copy: "CGI/1.1"
[debug] 24#0: *1 fastcgi param: "GATEWAY_INTERFACE: CGI/1.1"
[debug] 24#0: *1 http script copy: "SERVER_SOFTWARE"
[debug] 24#0: *1 http script copy: "nginx/"
[debug] 24#0: *1 http script var: "1.16.0"
[debug] 24#0: *1 fastcgi param: "SERVER_SOFTWARE: nginx/1.16.0"
[debug] 24#0: *1 http script copy: "REMOTE_ADDR"
[debug] 24#0: *1 http script var: "10.130.4.1"
[debug] 24#0: *1 fastcgi param: "REMOTE_ADDR: 10.130.4.1"
[debug] 24#0: *1 http script copy: "REMOTE_PORT"
[debug] 24#0: *1 http script var: "48920"
[debug] 24#0: *1 fastcgi param: "REMOTE_PORT: 48920"
[debug] 24#0: *1 http script copy: "SERVER_ADDR"
[debug] 24#0: *1 http script var: "10.129.11.34"
[debug] 24#0: *1 fastcgi param: "SERVER_ADDR: 10.129.11.34"
[debug] 24#0: *1 http script copy: "SERVER_PORT"
[debug] 24#0: *1 http script var: "8443"
[debug] 24#0: *1 fastcgi param: "SERVER_PORT: 8443"
[debug] 24#0: *1 http script copy: "SERVER_NAME"
[debug] 24#0: *1 http script var: "testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "SERVER_NAME: testdevguide.edu"
[debug] 24#0: *1 http script copy: "REDIRECT_STATUS"
[debug] 24#0: *1 http script copy: "200"
[debug] 24#0: *1 fastcgi param: "REDIRECT_STATUS: 200"
[debug] 24#0: *1 fastcgi param: "HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.5"
[debug] 24#0: *1 fastcgi param: "HTTP_ACCEPT_ENCODING: gzip, deflate, br"
[debug] 24#0: *1 fastcgi param: "HTTP_CONTENT_TYPE: application/x-www-form-urlencoded"
[debug] 24#0: *1 fastcgi param: "HTTP_CONTENT_LENGTH: 12955"
[debug] 24#0: *1 fastcgi param: "HTTP_REFERER: https://shib.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fexqjez4kJDWamY4KmSa7wCZEyyf3a1Y6AesscYZYWrizRDBOmX03Ghsd2BzsHsl4GGzSkjlXIOMUteFS9hvWyXBN6LxZQW%2BbF%2FBB9nSvFJlaWpwlY9o6KEkpNk6L4i36IxK80P%2BJQ07vW%2BUuyQo2dDuSy%2BqhrN9A1JZEI7m%2BZp4y0VCngWXUSljMQknMIqAB%2FE4iEejYcSH45Hgw06G2MJSo%2BPaJSQM%2BnEviHthVPQHbBCx4eCJeNl5%2BY3SUunt35jKkwjZbVFkvdOkR7B4nNMJSDo9wGbHYnuF%2F%2B9Y%2Fs2cpP8jjD%2BEp%2FSq8NTesPuuYbnITK3Epzera%2FM%2Bt8AdJKRPaHqy%2FL6U9As%3D&RelayState=https%3A%2F%2Ftestdevguide.edu%3A8443%2Fsecure%2F "
[debug] 24#0: *1 fastcgi param: "HTTP_COOKIE: _ga=GA1.2.1399869529.1558006746; 641aa2fc9369a48a37f43f2c5cddba1e=275677e718c4f473a3bc994d92485e40"
[debug] 24#0: *1 fastcgi param: "HTTP_UPGRADE_INSECURE_REQUESTS: 1"
[debug] 24#0: *1 fastcgi param: "HTTP_HOST: testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_HOST: testdevguide.edu"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_PORT: 443"
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_PROTO: https"
[debug] 24#0: *1 fastcgi param: "HTTP_FORWARDED: for=10.18.248.34;host=testdevguide.edu;proto=https;proto-version="
[debug] 24#0: *1 fastcgi param: "HTTP_X_FORWARDED_FOR: 10.18.248.34"

Tried overriding server name with env variables. Got the same response. 

$ printenv | grep SHIB
SHIBSP_SERVER_PORT=8443
SHIBSP_SERVER_NAME=testdevguide.edu
SHIBBOLETH_RESPONDER_PATH=/Shibboleth.sso
SHIBSP_SERVER_SCHEME=https
davidjb commented 4 years ago

Check your handlerURL in your shibboleth config:

    handlerURL="https://testdevguide.edu/Shibboleth.sso"

This is set as using port 443 but you're using port 8443 so the responder is bailing on incoming requests because their port doesn't what it is configured to handle. Try setting it like so:

   handlerURL="https://testdevguide.edu:8443/Shibboleth.sso"

(or set it as relative /Shibboleth.sso since your hostname/port are the same as this absolute URL)

Also, ensure that you fully restart shibd, shibauthorizer and shibresponder whenever you make a change to your shib configuration; they each hold the config in memory so need to be restarted as a group.

danielc103 commented 4 years ago

I think this is where the problem lies then.

I'm deploying in OpenShift and can not expose that port directly. It must come in through a route(ingress). In this case it is https://testdevguide.edu and must be port 443. Then a HA Proxy redirects that traffic to my service inside the cluster, port 8443 on my pod. So when my Shibboleth ACS redirects to the generated url from the <Host> tag it would fail with the added port number.

I found that you could hard code the handlerURL and the ACS generated from that hit the correct route. I thought all was well. So the next question would be how to redirect through the HA Proxy (if possible).

All services get restarted on each code change, I'm just redeploying entire image in OpenShift.

davidjb commented 4 years ago

In that case, you can tell the FastCGI applications that 443 is the port that requests are coming in on (even though Nginx is listening 8443) via:

fastcgi_param  SERVER_PORT        443;

You could set that in your fastcgi_params file so it applies globally or just to the individual location blocks.

Make sure your shib configuration's <RequestMapper> configuration uses the same port 443 and you should be good to go. The FastCGI apps will operate as if none the wiser about the use of 8443 to host Nginx.

danielc103 commented 4 years ago

That worked - for the most part! I'm getting a weird 301 response hitting the /secure location, it's immediately redirecting to port 8443 port for some odd reason. Once I remove that, it goes through and Shib flow works. It looks like this is an OpenShift issue at the moment as it's not hitting nginx at all with the 301.

Thanks a ton for helping out @davidjb !

davidjb commented 4 years ago

@danielc103 Goodo, glad to know your config is sorted. I added a few corresponding notes about these types of symptoms to the project docs.