Our team runs all our Nginx installations on 8443 instead of 443 for the obvious reason that you don't need to be root to listen on the port, and so the process can be started and stopped with lower privileges. (We then expose the application on port 443 by IP tables rules or load balancers.) We are in the process of integrating Shibboleth for SSO for doing our authentication.
I've come across this error:
OpenSAML.MessageDecoder.SAML2POST [2]: POST targeted at (https://myserver.com/Shibboleth.sso/SAML2/POST), but delivered to (https://myserver.com:8443/Shibboleth.sso/SAML2/POST)
This seems to be related to the fact that Nginx listens on 8443, but is publicly exposed on 443. Is there anyway to tell Shibboleth to stop adding the 8443 to the URL?
I've tried reading through the Shibboleth wiki, and didn't see anything that explained this scenario. I found one instance on the Internet of someone doing something similar, but the only answer given in the chain was to change some Apache configuration (I've been unable to find that Apache configuration or an equivalent in Nginx).
In Apache, you can trick the Shibboleth module into thinking it's been loaded on a different port by specifying a port in the
ServerNamedirective, e.g.ServerName example.com:443even when it's listening on:8443.More recently, the SP software added ShibURLScheme, which, 'controls the URL scheme Apache will report to modules, should reflect the logical value seen by clients from outside your network.'
One of those should work. You just need to trick nginx into telling the Shibboleth modules that the requests are coming from a different port or host header.