Satya's blog - Netscaler-based content-switcher with Shibboleth support
Notes on setting up a content-switching Citrix Netscaler with Shibboleth support. I use Netscaler 9, I think. Assume two servers, S1 and S2, that I want to present as www.example.com. They have Shibboleth. I want SSL and non-SSL both.
/----> s1-lb ---> s1-int ---> (server or server farm 1)
www-ext--->
\----> s2-lb ---> s2-int ---> (server or server farm 2)
Set up Shibboleth Service Providers on both servers. The Host can be S1 and S2, doesn't matter. Set the HandlerURL to /S1Shibboleth.sso or something, rather than /Shibboleth.sso, because some way to distinguish them is needed. On the Netscaler device, set up S1 and S2 as servers/services with their real internal IP. Call these s1-int and s2-int. Type HTTP, port 80. Set up similar ones called s1-int-ssl and s2-int-ssl with type SSL, port 443. add service s1-int 10.0.0.43 HTTP 80 add service s1-int-ssl 10.0.0.43 SSL 443 add service s2-int 10.0.0.44 HTTP 80 add service s2-int-ssl 10.0.0.44 SSL 443 Set up load balancers, of types and port HTTP/80 and SSL/443, called s1-lb, s2-lb, s1-lb-ssl, s2-lb-ssl. Their IPs can be private 10-subnet IPs. The s1 IP is same for both SSL and non-SSL, and the s2 IP is also the same (but different from s1's). Example: set s1-lb and s1-lb-ssl as 10.0.0.4, and set s2-lb and s2-lb-ssl as 10.0.0.5. Bind the services s1-int s1-int-ssl etc. to the appropriate load balancers. You'll need SSL certificates to associate with each one. add lb vserver s1-lb HTTP 10.100.1.10 80 add lb vserver s1-lb-ssl SSL 10.100.1.10 443 add lb vserver s2-lb HTTP 10.100.1.11 80 add lb vserver s2-lb-ssl SSL 10.100.1.11 443 # bind services: bind lb vserver s1-lb s1-int bind lb vserver s1-lb-ssl s1-int-ssl bind lb vserver s2-lb s2-int bind lb vserver s2-lb-ssl s2-int-ssl Set up content switching policies for your apps on s1 and s2. (See Netscaler manual.) Set up policies for the /S1Shibboleth.sso and /S2Shibboleth.sso as well! add cs policy s1-shib -rule "REQ.HTTP.URL == /S1Shibboleth.sso || REQ.HTTP.URL == '/S1Shibboleth.sso/*'" add cs policy s2-shib -rule "REQ.HTTP.URL == /S2Shibboleth.sso || REQ.HTTP.URL == '/S2Shibboleth.sso/*'" Set up two content switchers: www-ext and www-ext-ssl. Add all the policies to each one, the targets being the appropriate load balancers. That should do it. I don't think you need to set up Apache on the boxes any different. Using S1 as the ServerName should be fine. add cs vserver www-cs HTTP 10.0.0.90 80 add cs vserver www-cs-ssl SSL 10.0.0.90 443 # add policies: bind cs vserver www-cs s1-lb -policyName s1-shib bind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shib bind cs vserver www-cs s2-lb -policyName s2-shib bind cs vserver www-cs-ssl s2-lb-ssl -policyName s2-shib You'll need SSL certificates for the SSL vservers. See the Netscaler manual. If you've set up a certificate (www.crt) and key (www.key), you can scp the files to /nsconfig/ssl on the Netscaler and then add them like so: add ssl certKey www-cert -cert www.crt -key www.key bind ssl certKey s1-lb-ssl www-cert bind ssl certKey www-cs-ssl www-cert Update Aug 22 2009: Summary: add service s1-int 10.0.0.43 HTTP 80 add service s1-int-ssl 10.0.0.43 SSL 443 add lb vserver s1-lb HTTP 10.100.1.10 80 add lb vserver s1-lb-ssl SSL 10.100.1.10 443 add cs vserver www-cs HTTP 10.0.0.90 80 add cs vserver www-cs-ssl SSL 10.0.0.90 443 bind cs vserver www-cs s1-lb bind cs vserver www-cs-ssl s1-lb-ssl bind lb vserver s1-lb s1-int bind lb vserver s1-lb-ssl s1-int-ssl bind cs vserver www-cs s1-lb -policyName s1-shib bind cs vserver www-cs-ssl s1-lb-ssl -policyName s1-shib add ssl certKey www-cert -cert www.crt -key www.key bind ssl certKey s1-lb-ssl www-cert bind ssl certKey www-cs-ssl www-cert Update Nov 17 2009: To add a root CA, copy the CA file (e.g. CA.pem) to /nsconfig/ssl and issue this command from the Netscaler command line: link ssl certKey www-cert CA.pem Last updated: Nov 17 2009 07:22 |
|