SSLOffloading
- Rod Widdowson
- Scott Cantor
Use of SSL load balancers and accelerators can result in a change of the scheme used for incoming requests from https to http as it crosses a logical to physical boundary inside the internal network. As with other virtual hosting translation issues, this will break without explicit allowances because redirects will be generated improperly and endpoint information in metadata will not match.
The web server needs to be informed about this situation in whatever manner it supports, usually commands related to virtual host setup such as ServerName. For older versions of Apache (1.3) that do not support this feature, the ShibURLScheme command is provided, to be placed within the appropriate <VirtualHost>.
For IIS, which does not actually support this form of virtual hosting, this must be specified directly in shibboleth2.xml by modifying the <Site> element:
<ISAPI normalizeRequest="true">
<Site id="1" name="sptest.tut.fi" scheme="https" port="443"/>
</ISAPI>