Tuesday, March 15, 2011

Requesting a Specific Non-primary Virtual Host via HTTPS Behind Shibboleth

To hit a webapp on specific server on a non-default virtual host on non-default SSL port that is load-balanced and behind Shibboleth (or another SSO), you have a go through a few hoops, if you want the normally load-balanced host/port to resolve to that specific host on the specific server, bypassing the load balancer.

Setup a SSH tunnel with privileged port 443 locally going to the SSL port of the server for the virtual host you are trying to visit:

sudo ssh -L 443:third-foobar-server.acme.org:1443 myuser@third-foobar-server.acme.org
Then I edited /etc/hosts and pointed foobar.acme.org at 127.0.0.1 by adding the entry:
127.0.0.1 foobar.acme.org
Then you can hit https://foobar.acme.org/ in your browser and bypass the load balancer.

This worked in OS X, should work work Linux, and with Putty and the Windows-specific hosts file, it should work there also.

In addition, Scott Cantor suggested to me that webisoget's map command might be a good way of scripting access to individual shibbolized apps on specific servers more simply, for monitoring, etc.

(See also: "HTTPS request to a specific load-balanced virtual host (using Shibboleth for SSO)?".)

No comments: