0

We want to protect our VMWare vsphere 6.5 web client with an already existing & working Apache 2.4 reverse proxy (benefits e.g. centralised monitoring, mod_security et.al.)

Both communications client <--> proxy, and proxy <--> backend (= vsphere) must be be TLS secured. Certificates are in place and ok. DNS is configured accordingly.

Clients can already access the vsphere start page via proxy successfully e.g. https:// vsphere.domain.tld/

Firefox' network analyses shows that all request are fine and accepted, e.g.

    302 GET /vsphere-client/ [FQDN] document html

until /vsphere-client/UI.swf

But as soon as a user clicks on the link "vSphere Web Client (Flash)" in order to authenticate and enter the menues, a status code 400 is thrown. The "vSphere Web Client (Flash)" link directs to /vsphere-client/ and obviously invokes a SAML request.

    400 GET https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVRba9sw[...] [FQDN] subdocument

vsphere sso log shows:

    tomcat-http--38 ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://vsphere-internal.domain.tld/websso/SAML2/SSO/vsphere.local' did not match the recipient endpoint 'https://vsphere.domain.tld/websso/SAML2/SSO/vsphere.local'

Virtual host conf on Apache reverse proxy so far (excerpt) :

    SSLProxyEngine on
    ProxyPreserveHost on
    ProxyRequests off
    ProxyPass        / https://vsphere.domain.tld/
    ProxyPassReverse / https://vsphere.domain.tld/

    ProxyPass        /vsphere-client https://vsphere.domain.tld/vsphere-client/
    ProxyPassReverse /vsphere-client https://vsphere.domain.tld/vsphere-client/
    ProxyPass        /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/
    ProxyPassReverse /websso/SAML2/SSO https://vsphere.domain.tld/websso/SAML2/SSO/

    # new, to solve the name binding problem (see 1st answer)
    RequestHeader set Host "vsphere-internal.domain.tld"

With the last "RequestHeader" addendum - which in effect just reverses the PreserveHost option - I am now able to see the vsphere login page, and to log in, but the page then stucks again:

    tomcat-http--10 ERROR com.vmware.identity.BaseSsoController] Could not parse tenant request java.lang.IllegalStateException: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint

Any proposals how to get the full page?

MarkHelms
  • 181
  • 5
  • 16
  • Youl would get some more help if you could print verbatim access and error log messages. 400 is a malformed request, this could be a more strict checking of requests in recent versions of httpd. Also, which version are you using? – Daniel Ferradal Jul 04 '17 at 07:34
  • @ezra-s Did add additional infos. – MarkHelms Jul 04 '17 at 09:52

1 Answers1

0

I thought to solve the first problem, i.e. "intended destination endpoint ... did not match the recipient endpoint", by adding the backend hostname (= vsphere web client) to Apache's vhost conf:

    RequestHeader set Host "<backend hostname>"

(here: vsphere-internal.domain.tld), but as ezra-s explained correctly this just reversed the PreserveHost option. So I deleted both the RequestHeader and the PreserveHost option. Still suffer the second problem...

MarkHelms
  • 181
  • 5
  • 16
  • what you are saying here is you should not have added `ProxyPreserveHost on` . Now the most correct way is to remove it, or set it to off, instead of manually hadding a request header. – Daniel Ferradal Jul 04 '17 at 10:38