Redirecting to HTTPs with IDP

Hi @rabkesov,
Is this solution ok while Nginx and the cuba tomcat run on different servers? Will restApi work fine?

Considering I run sp on http://ipxxxx:8080/app and using Nginx direct https://mydomain.com to that sp.

While I logout from https://mydomain.com, seems cuba automatically using webAppurl:port/app/dispatch/idpc/logout to logout, then goes to idp login page, then while I log in again, IDP direct sp url to http://ipxxxx:8080/app; not https://mydomain.com.

How to resolve this issue?

Hi,

If you do not provide redirect URL for IDP login form it always redirects to the first service provider in cuba.idp.serviceProviderUrls property. See com.haulmont.idp.controllers.IdpController#authenticate.

Hi Yuriy,
My point is IDP redirect to the http url, I need it to redirect to https url which redirected by Nginx.

I guess IDP redirect to webAppurl/dispatch/idpc/logout while I logout, not redirect to https://mydomain.com/dispatch/idpc/logout
If I run tomcat on ip:port, can I set webappurl to https://mydomain rather than http://ip:port/app ?

Meanwhile, does this solution “have Nginx proxy to manage HTTPS-requests” works while Nginx and the cuba tomcat run on different servers?Will restApi work fine?

You need to use HTTPs URLs in all the configuration properties and that’s it. We have no hard-coded URLs in the source code, you only need to configure them.

It should, you’d better just test it in your configuration. Unfortunately, no one knows how you configure your servers.

Thanks Yuriy.

So how to configure cuba.webPort in this case? For example, tomcat run on http 8090, but the Nginx https port is 443. I am not sure what does cuba use this paramter for so dont know how to configure it.

And should cuba.connectionUrlList be configured to https? or http will be enough?

It is only internal port used for identification of the server. It is not used in any external links, so you need to set it to real port of the Tomcat instance. As for cuba.connectionUrlList you do not need HTTPs between web and core servers if they are deployed on the same server or if you use an isolated virtual network for your cluster.

understood, will try this.

Hi Yuriy,
We face one problem while try to set up https for the idp server.
The problem is about configure cuba.web.idp.baseUrl, when I set it to the http url, access to https is ok. but while I configure it to the https url, it seems happens endless loop while redirect to idp login form. Could you help check, please? Below are my configurations:

cuba.connectionUrlList = http://${cdp.host}:${server.port}/${cdp.project.id}-core

cuba.web.idp.baseUrl = https://${domain.url}/idp/

cuba.restApiUrl = https://${domain.url}/api
cuba.webAppUrl = https://${domain.url}/
cuba.webPort = ${server.port}

##domain.url is "testu.iccloudy.com"
cuba.idp.serviceProviderLogoutUrls=http://101.201.100.68:10001/ucenter/dispatch/idpc/logout, https://testu.iccloudy.com/dispatch/idpc/logout
cuba.idp.serviceProviderUrls=http://101.201.100.68:10001/ucenter/, https://testu.iccloudy.com/
cuba.idp.serviceProviderUrlMasks=http://101.201.100.68:10001/ucenter/.*, https://testu.iccloudy.com/.*

The Nginx configuration is:

server {
    listen 443;

    server_name testu.iccloudy.com;
    ssl on;
    ssl_certificate /root/sslforfree/full_chain.pem;
    ssl_certificate_key /root/sslforfree/private.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP          $remote_addr;

        proxy_read_timeout     3600;
        proxy_connect_timeout  240;
        proxy_http_version      1.1;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_pass http://101.201.100.68:10001/ucenter/;

        proxy_cookie_path   /ucenter /;
        proxy_set_header Cookie $http_cookie;
        proxy_redirect http://101.201.100.68:10001/ucenter https://testu.iccloudy.com;
    }
}

I try to add location of /idp to Nginx, still same error:

    location /idp/ {

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP          $remote_addr;

        proxy_read_timeout     3600;
        proxy_connect_timeout  240;
        proxy_http_version      1.1;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://101.201.100.68:10001/ucenter/idp/;

        proxy_set_header Cookie $http_cookie;
    }

The only thing to know about cuba.web.idp.baseUrl is that it must be accessible using both for server-to-server communication with SP and using public network, as it is used in redirects. So, if you use internal IPs (it is usually bad practice any way) you have to map cuba.web.idp.baseUrl to the same server as public mapping.

Sorry, it takes so much time, I’ll not be able to reproduce your scenario. I’d strongly recommend that you set up the same configuration on test servers and debug your authentication flow thoroughly.

Hi Yuriy,
I never mentioned I user internal IPs. For several times, you misunderstood my points and reply on the misunderstanding:joy:. Maybe I should be sorry for my English, but nerver mind, let me try, will let you know the results. Thanks for your help and quick reply always.