Forum OpenACS Q&A: Shibboleth configuration with apache2 and Nginx

Collapse
1: Shibboleth configuration with apache2 and Nginx
Posted by Gacalin Lufi on 03/17/26 10:03 AM
Hello everyone,

I am trying to configure Shibboleth in an environment where I use both Apache2 and NGINX, and I would need some clarification.

Specifically:
- Apache2 is used as the backend with the Shibboleth module (mod_shib)
- NGINX acts as a reverse proxy in front of Apache

Does anyone have experience with this kind of setup in a production environment?

Any configuration examples or suggestions are welcome.

Thanks in advance!

Collapse
2: Re: Shibboleth configuration with apache2 and Nginx (response to 1)
Posted by Antonio Pisano on 03/20/26 03:53 PM
Hello Gacalin,

can you please elaborate on how OpenACS or Naviserver come into the picture you describe?

All the best

Antonio

Collapse
3: Re: Shibboleth configuration with apache2 and Nginx (response to 1)
Posted by Gacalin Lufi on 03/25/26 02:20 PM
Hi Antonio,

we are setting up the integration with SPID.

Basically, when our login URL is called, Nginx works as a reverse proxy to Apache, which then invokes Shibboleth. After the authentication process, Shibboleth should create the headers with the user information, but at the moment we are not able to receive them on the application side.

So we are trying to understand where the headers are getting lost between Apache, Nginx and Naviserver/OpenACS.

Thanks.

Collapse
4: Re: Shibboleth configuration with apache2 and Nginx (response to 3)
Posted by Antonio Pisano on 04/08/26 06:14 PM

Sorry for the delay,

if the headers are not there on NaviServer when the request is received, it means they were not sent at all. First you should ensure that authentication was successful and headers were injected in the request. One idiom to check is this:

 # Output HTTP request headers as string
 set headers [ns_conn headers]
 set output ""
  foreach {key value} [ns_set array $headers] {
    append output "$key = $value \n"
  }
  set output

See https://naviserver.sourceforge.io/n/naviserver/files/ns_set.html#1

I guess there are good reasons to perform this convoluted Nginx -> Apache -> NaviServer trick, but if the whole authentication could be done at the Nginx level, or the NaviServer level, things would be less complicated.

On LEARN, we had an experimental shibboleth implementation that we never released to the public. The problem is:

  • I currently do not have access to the code

  • it was never used in production, so it would not be "battle tested"

I can try harder to obtain the code that we had, if you are still interested, just keep in mind that you may have to work on it some more to get it working.

Ciao

Antonio

Collapse
5: Re: Shibboleth configuration with apache2 and Nginx (response to 1)
Posted by Gacalin Lufi on 04/14/26 11:21 AM
Hi Antonio,

thank you for your reply.

I was able to resolve the issue by bypassing Nginx and handling everything directly through Apache. We set up a new server running on Apache, and we are no longer experiencing the problem of headers being lost.

I believe the issue was related to the Nginx → Apache → Shibboleth chain, where headers were likely being dropped along the way.

Thanks again for your support.

Best regards.

Gacalin Lufi