Hi,
This is because WP Cassify can’t parse xml response given by CAS server to extract user id. You can enable debug option in plugin admin panel to analyse last CAS XML response. Then you can understand why it doesn’t work.
Is your CAS server compatible with CAS protocol version 3 ? Have you tried to turn CAS protocol version to 2 ?
Best regards.
I am receiving following response from cas server. I haven’t seen any other log. This is something related to https, http and DNS.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_SERVICE'>
Ticket 'ST-61-a5G00CpbpQhk4S2mfkSs-casauth' does not match supplied service. The original service was 'https://www.somedomain.com/wp-admin/' and the supplied service was 'http://somedomain.com/wp-admin/'.
</cas:authenticationFailure>
</cas:serviceResponse>
Yes I tried both protocol version 2 and 3.
I am able to identify the cause, in classes/wp_cassify_plugin.php file, at line 334 I see following line,
$service_url = $this->wp_cassify_get_service_callback_url();
When I hard coded the value to
$service_url = 'https://www.somedomain.com/wp-admin/'
I am successfully able to authenticate. This means wp_cassify_get_service_callback_url() function not able to provide the valid url and cas server not able to authenticate service based on previously granted TGT.
For the reference my servers are behind aws loadbalancer and I am using aws certificate manager to handle certificate.
Hi,
Okay, thanks for this informations. I know the source of the of the problem. But i need your help to solve the problem because i’ve not aws loadbalancer.
Create test.php behind your loadbalancer with this code below and send me the output :
<? echo print_r( $_SERVER ); ?>
Best regards.
Find the output as follows, only ipaddress and domain name is replaced by somedomain.
<blockquote>
Array ( [USER] => nginx [HOME] => /var/lib/nginx [FCGI_ROLE] => RESPONDER [SCRIPT_FILENAME] => /opt/sites/somedomain.com/public/mockup/test2.php [QUERY_STRING] => [REQUEST_METHOD] => GET [CONTENT_TYPE] => [CONTENT_LENGTH] => [SCRIPT_NAME] => /mockup/test2.php [REQUEST_URI] => /mockup/test2.php [DOCUMENT_URI] => /mockup/test2.php [DOCUMENT_ROOT] => /opt/sites/somedomain.com/public [SERVER_PROTOCOL] => HTTP/1.1 [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_SOFTWARE] => nginx/1.8.1 [REMOTE_ADDR] => 17.3.4.26 [REMOTE_PORT] => [SERVER_ADDR] => 17.3.32.138 [SERVER_PORT] => 443 [SERVER_NAME] => somedomain.com [REDIRECT_STATUS] => 200 [HTTP_HOST] => http://www.somedomain.com [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_ENCODING] => gzip, deflate, br [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_COOKIE] => __utma=124231964.1857659488.1466985098.1471386810.1471471746.49; __utmz=124231964.1466985098.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-time-1=1469663743; wp-settings-3=editor%3Dtinymce%26libraryContent%3Dbrowse; wp-settings-time-3=1468290918; _ga=GA1.2.1857659488.1466985098; PHPSESSID=pj9e70k308rcsbbi6qdq4295v5; __utmb=124231964.1.10.1471471746; __utmc=124231964; _gat=1 [HTTP_UPGRADE_INSECURE_REQUESTS] => 1 [HTTP_USER_AGENT] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0 [HTTP_X_FORWARDED_FOR] => 17.3.4.26 [HTTP_X_FORWARDED_PORT] => 443 [HTTP_X_FORWARDED_PROTO] => https [HTTP_CONNECTION] => keep-alive [PHP_SELF] => /mockup/test2.php [REQUEST_TIME_FLOAT] => 1471472574.0485 [REQUEST_TIME] => 1471472574 ) 1
Hi !
Have you done the test for http://www.somedomain.com/mockup/test2.php or https://www.somedomain.com/mockup/test2.php ?
I search what’s php server variables i should use to build callback service url if you’re behind a proxy.
I have already experienced this problem and i was thinking i’ve solved this problem but obviously not :
https://ww.wp.xz.cn/support/topic/error-beyond-a-reverse-proxy?replies=2
Best regards.
I think you’ve not good nginx reverse proxy configuration because $_SERVER[ ‘HTTP_X_FORWARDED_HOST’ ] is missing.
Ok what should be the nginx configuration,
I tried adding following, still not working
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Looks like it is because of server is behind AWS ELB, I am reading aws document,
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
and SO, http://stackoverflow.com/questions/35544901/non-standard-http-headers-x-forwarded-host-etc-appear-in-the-http-response
And figure out this is the case,
AWS ELBs automatically add the X-Forwarded-For, X-Forwarded-Port, and X-Forwarded-Proto request headers, per the AWS ELB docs; they do not use the X-Forwarded-Host header.
How about checking HTTP_X_FORWARDED_PORT or HTTP_X_FORWARDED_PROTO and using HTTP_HOST variable instead. Obviously this is not a one liner solutions and may need to check couple of things. Just a suggestion.
In my case I think I can hard code the value and return https://www.somedomain.com every time and append rest part of the url.
If there are too many unknowns, another solutions is add a field in UI so that we can input url.
Hi,
In file classes/wp_cassify_utils.php, replace wp_cassify_get_current_url as below. Make all tests you need. Then, keep me informed and if you’ve not bad behaviour with this code, i can integrate this fix in next release :
public static function wp_cassify_get_current_url( $wp_cassify_default_wordpress_blog_http_port = 80, $wp_cassify_default_wordpress_blog_https_port = 443 ) {
$current_url = ( @$_SERVER[ 'HTTPS' ] == 'on' ) ? 'https://' : 'http://';
// If cassified application is hosted behind reverse proxy.
if ( isset( $_SERVER[ 'HTTP_X_FORWARDED_HOST' ] ) ) {
$current_url .= $_SERVER[ 'HTTP_X_FORWARDED_HOST' ];
}
else {
$current_url .= $_SERVER[ 'SERVER_NAME' ];
}
if( ( $_SERVER[ 'SERVER_PORT' ] != $wp_cassify_default_wordpress_blog_http_port ) &&
( $_SERVER[ 'SERVER_PORT' ] != $wp_cassify_default_wordpress_blog_https_port ) ) {
$current_url .= ':' . $_SERVER[ 'SERVER_PORT' ];
}
// Specific use case configuration for WordPress hosted on nginx behind AWS loadbalancer.
if (
isset( $_SERVER[ 'HTTP_HOST' ] ) &&
isset( $_SERVER[ 'HTTP_X_FORWARDED_PORT' ] ) &&
isset( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ] ) ) {
$current_url = $_SERVER[ 'HTTP_HOST' ];
if( ( $_SERVER[ 'HTTP_X_FORWARDED_PORT' ] != $wp_cassify_default_wordpress_blog_http_port ) &&
( $_SERVER[ 'HTTP_X_FORWARDED_PORT' ] != $wp_cassify_default_wordpress_blog_https_port ) ) {
$current_url .= ':' . $_SERVER[ 'SERVER_PORT' ];
}
if ( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ] == 'https' ) {
$current_url = str_replace( "http", "https", $current_url );
}
}
$current_url .= $_SERVER[ 'REQUEST_URI' ];
return $current_url;
}
Best regards.
Now I started receiving following message, looks like it is not appending https.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='ServiceManagement: Unauthorized Service Access. Service [www.somedomain.com/wp-admin/] is not found in service registry.'>
ServiceManagement: Unauthorized Service Access. Service [www.somedomain.com/wp-admin/] is not found in service registry.
</cas:authenticationFailure>
</cas:serviceResponse>
For the record this is nothing to do with CAS server. I already register the service on CAS server and when I hard code the value to
$service_url = 'https://www.somedomain.com/wp-admin/'
I can successfully log in.
Hi,
I don’t understand why http/https is not appending because i use SERVER variables that you’ve communicated to me before to make the test and build url. (ie. $_SERVER[ ‘HTTP_HOST’ ],$_SERVER[ ‘HTTP_X_FORWARDED_PORT’ ], $_SERVER[ ‘HTTP_X_FORWARDED_PROTO’ ]).
So, i’m very sorry but i can’t solve your problem.
If you want to say where the problem come from, you must use error_log function inside code to debug.
In your wp-config.ini :
@ini_set(‘display_errors’,’Off’);
@ini_set(‘log_errors’,’On’);
@ini_set(‘error_log’,’/var/www/your-website/phperrors.log’);
Then insert error_log inside code :
$current_url = $_SERVER[ 'HTTP_HOST' ];
error_log( "after HTTP_HOST " . $current_url);
And so on.
if ( $_SERVER[ 'HTTP_X_FORWARDED_PROTO' ] == 'https' ) {
$current_url = str_replace( "http", "https", $current_url );
}
error_log( "after HTTP_X_FORWARDED_PROTO " . $current_url);
`
Best regards.
