Running Shibboleth IdP proxied with Apache httpd via mod_proxy_ajp

A common way to run Shibboleth Identity Provider is by using Apache httpd as a frontend and Tomcat as the backend. This is done by proxying Tomcat via the Apache JServ Protocol. This approach means that you can secure the Shibboleth IdP with Apache’s mod<em>ssl and run the IdP on port 443(I know that this can be done in Tomcat, but I presume people are more comfortable using Apache httpd). The accompanying video is here:

This guide makes the following assumption that you followed the previous blog post on <a href=””>installing Tomcat and Shibboleth Identity Provider

Install Apache httpd

sudo apt-get install apache2

Check which sites are enabled. 000-default is enabled by default.

a2query -s

which returns:

000-default (enabled by the site administrator)

Disable the 000-default site

sudo a2dissite 000-default

Enable mod_proxy_ajp (this will also enable mod_proxy) and mod_ssl

sudo a2enmod proxy_ajp ssl
sudo nano /etc/apache2/sites-available/shib-idp.conf

Paste the following into your file, edit the paths to your certificates, private keys, certificate authority chain and log files, then save

<VirtualHost *:443>
  ServerName shib-idp.lan
  CustomLog /var/log/apache2/shib-idp.lan.access.log combined
  ErrorLog /var/log/apache2/shib-idp.lan.error.log
  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLCertificateKeyFile /etc/ssl/private/shib-idp.lan.key
  SSLCertificateFile /etc/ssl/certs/shib-idp.lan.crt
  SSLCertificateChainFile /etc/ssl/certs/ca-chain.crt

  <IfModule headers_module>
    Header set X-Frame-Options DENY
    Header set Strict-Transport-Security "max-age=31536000;includeSubDomains"

  ProxyPass /idp ajp://localhost:8009/idp retry=5
  <Proxy ajp://localhost:8009>
    Require all granted

To use a self signed certificate, do the following:

sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout /etc/ssl/private/shib-idp.lan.key -out /etc/ssl/certs/shib-idp.lan.crt

Accept the defaults for this except ‘Common Name’ which should be your hosts name, in my case shib-idp.lan

Remove the CertificateChainFile line from /etc/apache2/sites-available/shib-idp.conf

sudo sed -i '/SSLCertificateChainFile/d' /etc/apache2/sites-available/shib-idp.conf

Enable the new site

sudo a2ensite shib-idp && sudo service apache2 reload

Modify the $CATALINA_HOME/conf/server.xml by commenting out the enabled HTTP connector, then paste in the following:

<Connector port="8009" address="" protocol="AJP/1.3" />

Restart Tomcat

sudo service tomcat8 restart

Test by opening the IdP status page in a web browser at: https://shib-idp.lan/idp/status If you opted for a self signed certificate, you will get an insecure connection warning.