Gluu behind reverse proxy and _idp_session cookie

By: Mark Diender Account Admin 02 Feb 2017 at 5:19 a.m. CST

5 Responses
Mark Diender gravatar
We have a Gluu installation configured behind a Kemp Loadbalancer, which is configured as non-transparent. Now the _idp_session cookie contains the ip-address of the loadbalancer encoded as base64 in its data. As we don't want our internal IP-addresses leaking out, is there any possible solution to this problem that does not require any reconfiguration of the network. The loadbalancer is adding the X-Forwarded-For header, which is working fine when checking the logs. Could I use this header instead for the ip-address in the _idp_session cookie? Or can I configure it to something static, for instance the hostname of the loadbalancer?
CentOS72
closed

Answers

By Aliaksandr Samuseu staff 02 Feb 2017 at 10:10 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Mark. Seems like this behaviour is hardcoded into Shibboleth IdP. Here is where it gets its value: [link](https://git.shibboleth.net/view/?p=java-shib-idp2.git;a=blob;f=src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java;h=02cfcf69e86f0b200bf66e3387f3b9254eac00f0;hb=HEAD#l817) Gluu uses it as it is, with slight changes added with patches and needed to integrate it in the suite. So you would need to change the source code of this `AuthenticationEngine.java` class, recompile it, then update it in the `shibboleth-identityprovider-2.4.5.jar` which is part of `idp.war` in `/opt/idp/war/` inside of the container.

By Aliaksandr Samuseu staff 02 Feb 2017 at 10:14 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Should be careful with versions in the process, though. I'm not sure that source I referenced is exactly the same version as IdP your Gluu instances uses.

By Aliaksandr Samuseu staff 03 Feb 2017 at 5:37 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Mark. Was that information useful? Do you intend to follow this path? Though it's already beyond limits of Community support and you'll have to experiment with it on your own, it would be useful for other users if you'll share your experience and list encountered issues in case of success.

By Mark Diender Account Admin 06 Feb 2017 at 1:19 a.m. CST

Copy
Mark Diender gravatar
Hello Aliaksandr, Thank you for your answer. Unfortunately, as i am improficient with coding in Java i'm not comfortable altering a (soon-to-be) production environment. If there's no other option we'll be safer altering our network so Gluu will receive the original client-ip. Thanks again for your answer. Kind Regards,

By Aliaksandr Samuseu staff 06 Feb 2017 at 8:41 a.m. CST

Copy
Aliaksandr Samuseu gravatar
From the look of this code it doesn't seem like a controllable behaviour. Still, you could try asking on Shibboleth-related forums, if you wish. Unfortunately, such in-depth modifications of 3rd party components is beyond limits of free Community support, so we won't be able to help you with it further than that. I'm closing the ticket now.

Post an answer