Try to reverse-proxy vsphere webclient with ApacheProtocol switching with reverse proxy and application server with static linksVmware credential errors with zabbix checkApache reverse proxy location based access control not workingApache Reverse Proxy with Wildfly?Apache - puma reverse proxy failingBasic auth Apache with TomcatWhat is wrong with my nginx reverse proxy configuration, with single server (and more later)Setting up an Apache forward proxy with 2-way SSL with certificate CN check failsApache reverse proxy with ssl not workingOffice365 SSO with JumpCloud SAML
I probably found a bug with the sudo apt install function
Can a German sentence have two subjects?
A function which translates a sentence to title-case
Validation accuracy vs Testing accuracy
Is it possible to do 50 km distance without any previous training?
Possibly bubble sort algorithm
I see my dog run
Circuitry of TV splitters
How much RAM could one put in a typical 80386 setup?
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?
Are there any consumables that function as addictive (psychedelic) drugs?
Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?
Why is the design of haulage companies so “special”?
What would happen to a modern skyscraper if it rains micro blackholes?
Draw simple lines in Inkscape
Is there a familial term for apples and pears?
Why is this code 6.5x slower with optimizations enabled?
How is it possible for user's password to be changed after storage was encrypted? (on OS X, Android)
When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?
Set-theoretical foundations of Mathematics with only bounded quantifiers
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
What Brexit solution does the DUP want?
Why are 150k or 200k jobs considered good when there are 300k+ births a month?
How long does it take to type this?
Try to reverse-proxy vsphere webclient with Apache
Protocol switching with reverse proxy and application server with static linksVmware credential errors with zabbix checkApache reverse proxy location based access control not workingApache Reverse Proxy with Wildfly?Apache - puma reverse proxy failingBasic auth Apache with TomcatWhat is wrong with my nginx reverse proxy configuration, with single server (and more later)Setting up an Apache forward proxy with 2-way SSL with certificate CN check failsApache reverse proxy with ssl not workingOffice365 SSO with JumpCloud SAML
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
We want to protect our VMWare vsphere 6.5 web client with an already existing & working Apache 2.4 reverse proxy (benefits e.g. centralised monitoring, mod_security et.al.)
Both communications client <--> proxy, and proxy <--> backend (= vsphere) must be be TLS secured. Certificates are in place and ok.
DNS is configured accordingly.
Clients can already access the vsphere start page via proxy successfully e.g. https:// vsphere.domain.tld/
Firefox' network analyses shows that all request are fine and accepted, e.g.
302 GET /vsphere-client/ [FQDN] document html
until /vsphere-client/UI.swf
But as soon as a user clicks on the link "vSphere Web Client (Flash)" in order to authenticate and enter the menues, a status code 400 is thrown. The "vSphere Web Client (Flash)" link directs to /vsphere-client/ and obviously invokes a SAML request.
400 GET https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRba9sw[...] [FQDN] subdocument
vsphere sso log shows:
tomcat-http--38 ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://vsphere-internal.domain.tld/websso/SAML2/SSO/vsphere.local' did not match the recipient endpoint 'https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local'
Virtual host conf on Apache reverse proxy so far (excerpt) :
SSLProxyEngine on
ProxyPreserveHost on
ProxyRequests off
ProxyPass / https://vsphere.domain.tld/
ProxyPassReverse / https://vsphere.domain.tld/
ProxyPass /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPassReverse /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPass /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
ProxyPassReverse /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
# new, to solve the name binding problem (see 1st answer)
RequestHeader set Host "vsphere-internal.domain.tld"
With the last "RequestHeader" addendum - which in effect just reverses the PreserveHost option - I am now able to see the vsphere login page, and to log in, but the page then stucks again:
tomcat-http--10 ERROR com.vmware.identity.BaseSsoController] Could not parse tenant request java.lang.IllegalStateException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
Any proposals how to get the full page?
apache-2.4 reverse-proxy vmware-vsphere saml
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
add a comment |
We want to protect our VMWare vsphere 6.5 web client with an already existing & working Apache 2.4 reverse proxy (benefits e.g. centralised monitoring, mod_security et.al.)
Both communications client <--> proxy, and proxy <--> backend (= vsphere) must be be TLS secured. Certificates are in place and ok.
DNS is configured accordingly.
Clients can already access the vsphere start page via proxy successfully e.g. https:// vsphere.domain.tld/
Firefox' network analyses shows that all request are fine and accepted, e.g.
302 GET /vsphere-client/ [FQDN] document html
until /vsphere-client/UI.swf
But as soon as a user clicks on the link "vSphere Web Client (Flash)" in order to authenticate and enter the menues, a status code 400 is thrown. The "vSphere Web Client (Flash)" link directs to /vsphere-client/ and obviously invokes a SAML request.
400 GET https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRba9sw[...] [FQDN] subdocument
vsphere sso log shows:
tomcat-http--38 ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://vsphere-internal.domain.tld/websso/SAML2/SSO/vsphere.local' did not match the recipient endpoint 'https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local'
Virtual host conf on Apache reverse proxy so far (excerpt) :
SSLProxyEngine on
ProxyPreserveHost on
ProxyRequests off
ProxyPass / https://vsphere.domain.tld/
ProxyPassReverse / https://vsphere.domain.tld/
ProxyPass /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPassReverse /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPass /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
ProxyPassReverse /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
# new, to solve the name binding problem (see 1st answer)
RequestHeader set Host "vsphere-internal.domain.tld"
With the last "RequestHeader" addendum - which in effect just reverses the PreserveHost option - I am now able to see the vsphere login page, and to log in, but the page then stucks again:
tomcat-http--10 ERROR com.vmware.identity.BaseSsoController] Could not parse tenant request java.lang.IllegalStateException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
Any proposals how to get the full page?
apache-2.4 reverse-proxy vmware-vsphere saml
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52
add a comment |
We want to protect our VMWare vsphere 6.5 web client with an already existing & working Apache 2.4 reverse proxy (benefits e.g. centralised monitoring, mod_security et.al.)
Both communications client <--> proxy, and proxy <--> backend (= vsphere) must be be TLS secured. Certificates are in place and ok.
DNS is configured accordingly.
Clients can already access the vsphere start page via proxy successfully e.g. https:// vsphere.domain.tld/
Firefox' network analyses shows that all request are fine and accepted, e.g.
302 GET /vsphere-client/ [FQDN] document html
until /vsphere-client/UI.swf
But as soon as a user clicks on the link "vSphere Web Client (Flash)" in order to authenticate and enter the menues, a status code 400 is thrown. The "vSphere Web Client (Flash)" link directs to /vsphere-client/ and obviously invokes a SAML request.
400 GET https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRba9sw[...] [FQDN] subdocument
vsphere sso log shows:
tomcat-http--38 ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://vsphere-internal.domain.tld/websso/SAML2/SSO/vsphere.local' did not match the recipient endpoint 'https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local'
Virtual host conf on Apache reverse proxy so far (excerpt) :
SSLProxyEngine on
ProxyPreserveHost on
ProxyRequests off
ProxyPass / https://vsphere.domain.tld/
ProxyPassReverse / https://vsphere.domain.tld/
ProxyPass /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPassReverse /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPass /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
ProxyPassReverse /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
# new, to solve the name binding problem (see 1st answer)
RequestHeader set Host "vsphere-internal.domain.tld"
With the last "RequestHeader" addendum - which in effect just reverses the PreserveHost option - I am now able to see the vsphere login page, and to log in, but the page then stucks again:
tomcat-http--10 ERROR com.vmware.identity.BaseSsoController] Could not parse tenant request java.lang.IllegalStateException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
Any proposals how to get the full page?
apache-2.4 reverse-proxy vmware-vsphere saml
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
We want to protect our VMWare vsphere 6.5 web client with an already existing & working Apache 2.4 reverse proxy (benefits e.g. centralised monitoring, mod_security et.al.)
Both communications client <--> proxy, and proxy <--> backend (= vsphere) must be be TLS secured. Certificates are in place and ok.
DNS is configured accordingly.
Clients can already access the vsphere start page via proxy successfully e.g. https:// vsphere.domain.tld/
Firefox' network analyses shows that all request are fine and accepted, e.g.
302 GET /vsphere-client/ [FQDN] document html
until /vsphere-client/UI.swf
But as soon as a user clicks on the link "vSphere Web Client (Flash)" in order to authenticate and enter the menues, a status code 400 is thrown. The "vSphere Web Client (Flash)" link directs to /vsphere-client/ and obviously invokes a SAML request.
400 GET https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRba9sw[...] [FQDN] subdocument
vsphere sso log shows:
tomcat-http--38 ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://vsphere-internal.domain.tld/websso/SAML2/SSO/vsphere.local' did not match the recipient endpoint 'https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local'
Virtual host conf on Apache reverse proxy so far (excerpt) :
SSLProxyEngine on
ProxyPreserveHost on
ProxyRequests off
ProxyPass / https://vsphere.domain.tld/
ProxyPassReverse / https://vsphere.domain.tld/
ProxyPass /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPassReverse /vsphere-client https://vsphere.domain.tld/vsphere-client/
ProxyPass /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
ProxyPassReverse /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
# new, to solve the name binding problem (see 1st answer)
RequestHeader set Host "vsphere-internal.domain.tld"
With the last "RequestHeader" addendum - which in effect just reverses the PreserveHost option - I am now able to see the vsphere login page, and to log in, but the page then stucks again:
tomcat-http--10 ERROR com.vmware.identity.BaseSsoController] Could not parse tenant request java.lang.IllegalStateException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint
Any proposals how to get the full page?
apache-2.4 reverse-proxy vmware-vsphere saml
apache-2.4 reverse-proxy vmware-vsphere saml
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
edited Jul 4 '17 at 15:24
MarkHelms
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
asked Jul 3 '17 at 9:25
MarkHelmsMarkHelms
10612
10612
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52
add a comment |
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52
add a comment |
1 Answer
1
active
oldest
votes
I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:
RequestHeader set Host "<backend hostname>"
(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
what you are saying here is you should not have addedProxyPreserveHost on. Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.
– ezra-s
Jul 4 '17 at 10:38
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f859053%2ftry-to-reverse-proxy-vsphere-webclient-with-apache%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:
RequestHeader set Host "<backend hostname>"
(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
what you are saying here is you should not have addedProxyPreserveHost on. Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.
– ezra-s
Jul 4 '17 at 10:38
add a comment |
I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:
RequestHeader set Host "<backend hostname>"
(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
what you are saying here is you should not have addedProxyPreserveHost on. Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.
– ezra-s
Jul 4 '17 at 10:38
add a comment |
I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:
RequestHeader set Host "<backend hostname>"
(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:
RequestHeader set Host "<backend hostname>"
(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
edited Jul 4 '17 at 15:19
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
answered Jul 4 '17 at 10:05
MarkHelmsMarkHelms
10612
10612
what you are saying here is you should not have addedProxyPreserveHost on. Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.
– ezra-s
Jul 4 '17 at 10:38
add a comment |
what you are saying here is you should not have addedProxyPreserveHost on. Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.
– ezra-s
Jul 4 '17 at 10:38
what you are saying here is you should not have added
ProxyPreserveHost on . Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.– ezra-s
Jul 4 '17 at 10:38
what you are saying here is you should not have added
ProxyPreserveHost on . Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header.– ezra-s
Jul 4 '17 at 10:38
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f859053%2ftry-to-reverse-proxy-vsphere-webclient-with-apache%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using?
– ezra-s
Jul 4 '17 at 7:34
@ezra-s Did add additional infos.
– MarkHelms
Jul 4 '17 at 9:52