Apache web server

It is no longer necessary to proxy the Shibboleth IdP through Apache httpd, and has not been since Shibboleth IdP v2.x onwards. However, for various reasons, such as easier certificate management and operation of privileged ports, many deployers prefer to use the Apache httpd web server as a proxy, so we continue to provide some guidance for this, as well as for deployment in a standalone Java servlet container.

Most deployers proxying through Apache prefer to use the Tomcat servlet container, so we focus on the Apache httpd with Tomcat combination here. For those wishing to use Apache httpd in combination with the Jetty container, there is some configuration advice in the Shibboleth wiki.

Apache configuration

You will need to edit the Apache httpd configuration file httpd.conf to configure Apache to pass requests for "/idp/" to the Java servlet container, which we will ensure listens on localhost port 8009. Add this line to the end of the file:

 ProxyPass /idp/ ajp://localhost:8009/idp/
Apache port 443

Apache needs to listen on port 443:

 Listen 443

In the following VirtualHost configuration you configure your IdP server's fully qualified domain name, your browser-facing certificate file, intermediate certificate(s) file and private key file (all in PEM text format), TLS settings, and logging settings.

 <VirtualHost _default_:443>

   ServerName idp.example.ac.uk:443
   SSLEngine on
   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
   SSLHonorCipherOrder On
   # SSL certificate config
   SSLCertificateFile /opt/shibboleth-idp/credentials/ssl-cert.crt
   SSLCertificateKeyFile /opt/shibboleth-idp/credentials/ssl-cert.key
   SSLCertificateChainFile /opt/shibboleth-idp/credentials/intermediate.pem

   ErrorLog logs/ssl_443_error_log
   TransferLog logs/ssl_443_access_log
   LogLevel warn
   CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Important note: the configuration above is informed by, but not identical to, the one recommended at the Mozilla link below for a "modern" configuration at the time of writing. We do not guarantee it represents current good practice at the time you are reading this document. You should research current good practice for TLS settings and adjust the configuration accordingly.

We think that it is better to have SSLHonorCipherOrder On to allow the server to force the client to use the best ciphersuite supported by both client and server.

Tomcat configuration with Apache proxy

Ensure that Tomcat is not listening on any ports except port 8009 by commenting out all <Connector> elements in the Tomcat server.xml file. Modify the port 8009 <Connector> as necessary so it looks like this:

 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secretRequired="false" />

The secretRequired setting strictly speaking is only needed when the proxy traverses a network.