[LON-CAPA-admin] Optimum Load Balancing

Stuart Raeburn raeburn at msu.edu
Wed Mar 4 16:52:32 EST 2015 

Maged,

> RewriteRule ^/adm/sso  /adm/login  [R]
> RewriteRule ^/Shibboleth.sso/Logout   
> https://lon-balancer.lon-capa.illinois.edu/Shibboleth.sso/Logout [R]

Personally, I would not use Apache RewriteRules for that.

As your aim is to disallow direct log-in to your access servers then I  
see no benefit in enabling mod_shib on the access servers/VMs, or the  
library server/VM (just enable it on the load balancer server/VM)

On Ubuntu, do:

sudo a2dismod shib
sudo service apache2 reload

With no mod_shib enabled, LON-CAPA already handles requests for  
/adm/sso with /adm/login which will in turn redirect users without  
sessions on that server to your load balancer (which is running  
Shibboleth).

As regards the second RewriteRule ...

LON-CAPA supports the addition of a custom apache conf file, e.g.,
/etc/apache2/loncapa_apache_localuiuc.conf

which can contain a PerlVar -- lonSSOUserLogoutMessageFile_uiuc -- to  
point at a file containing HTML markup which you will be displayed to  
SSO authenticated uses from the uiuc domain in the /adm/logout, called  
when a user currently logged into LON-CAPA clicks the "Logout" link at  
top right of a LON-CAPA page.

e.g., this conf file might contain:
PerlSetVar lonSSOUserLogoutMessageFile_uiuc  
/home/httpd/html/adm/sso_logout_link_body_frag

where /home/httpd/html/adm/sso_logout_link_body_frag itself might contain:

<p>
As your original login to LON-CAPA was authenticated by UofI Single  
Sign On (SSO) service credentials are still valid.<br />
Until you close your web browser, Illinois web applications which  
support SSO (including LON-CAPA) will not require you to re-login</p>
<p>
To expire your active SSO token <a
href="https://lon-balancer.lon-capa.illinois.edu/Shibboleth.sso/Logout">log  
out</a> of Single Sign On.
</p>

Alternatively, if you want to log users out of SSO automatically when  
they log-out of LON-CAPA you could make use of one of the additional  
perlVars which will be available in 2.11.1:

lonSSOUserLogoutHeadFile_uiuc and lonSSOUserLogoutHeadFile

which support addition of HTML to the document head, e.g.,

<meta http-equiv="Refresh" content="0;  
url=https://login.msu.edu/Logout.asp" />

See:
http://mail.lon-capa.org/pipermail/lon-capa-cvs/Week-of-Mon-20150302/026466.html

> I have one more question, is lonCapa balancer capable of redirecting  
>  users for each request rather than on initial logins only.

No.

The current implementation is intended to authenticate users and then  
cause the user's sessions to be migrated to an access or library  
server in your domain.  Thereafter, all requests from that user are  
handled by the session-hosting server.


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting "Abdel Messeh, Maged" <mmesseh at illinois.edu>:

> Hi Stuart,
>
> This is very helpful and solved my problem thanks so much.
>
> I just had to add two extra lines to loncapa_rewrite.conf:
>
> # this is to redirect the default /adm/sso to /adm/login which seems  
>  to be where the redirect is happening within lonCapa
> RewriteRule ^/adm/sso  /adm/login  [R]
>
> # this is to ensure that the shib session is destroyed by   
> redirecting from access nodes to lon-balancer
> RewriteRule ^/Shibboleth.sso/Logout   
> https://lon-balancer.lon-capa.illinois.edu/Shibboleth.sso/Logout [R]
>
> I have one more question, is lonCapa balancer capable of redirecting  
>  users for each request rather than on initial logins only.
>
> Thanks,
>
> Maged
>
>
> -----Original Message-----
> From: lon-capa-admin-bounces at mail.lon-capa.org   
> [mailto:lon-capa-admin-bounces at mail.lon-capa.org] On Behalf Of   
> Stuart Raeburn
> Sent: Monday, March 2, 2015 6:06 PM
> To: lon-capa-admin at mail.lon-capa.org
> Subject: Re: [LON-CAPA-admin] Optimum Load Balancing
>
> Hi,
>
> What you can do currently in LON-CAPA is to use a domain configuration
> to cause users who are attempting to display the log-in page on each
> of your servers to be redirected to the LON-CAPA load-balancer server.
>
> This avoids the infinite loop, because users who already have a
> session on one of the access servers will see the: "Already logged in"
> message, if they display the log-in page on that particular server.
>
> As Domain Coordinator, use:
> Main Menu -> Set domain configuration -> Display ("Log-in page
> options" checked).
>
> If your domain contains more than one server then you will see a
> "Log-in Service" section.  For each access server listed select the
> hostname of the load balancer server in the "Redirect to" drop down
> list, and then choose the Path.
>
> If you plan to use Shibboleth authentication on the load balancer
> server, you should select / as the path.  You can also enter IP
> addresses for clients which you wish to exempt from the redirect.
> (This is useful if you use periodic robotic log-in, role selection,
> course display, and log-out for each of your LON-CAPA servers from a
> script run on a dedicated monitoring server).
>
> See:
> https://library1.lon-capa.uiuc.edu/adm/help/Domain_Configuration_Login_Page.hlp
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting "Abdel Messeh, Maged" <mmesseh at illinois.edu>:
>
>> Hi All,
>>
>> I have recently successfully deployed a lon-balancer in our test
>> environment which works great, however in order to completely
>> benefit from it, I am looking for a way to redirect users to the
>> balancer when they try to go directly to an access node.  In other
>> words I do not want users to be able to go to a specific access node
>>  and potentially overload it.
>>
>> I tried to use apache redirects (mod_rewrite) to accomplish this but
>>  I ended up creating a loop in the folloing fashion:
>> User goes to accesstest1 --> apache redirect to lon-balance -->
>> lon-balance redirect to accestest2 --> apache redirect to lon-balance
>>
>> I am not sure if there is a better way for doing this?  I am also
>> open for using external layer of redirects via nginx for exmaple.
>>
>> A more ambitious solution would be to completely hide which access
>> node the user is on, and hence they cannot go directly to any access
>>  node and then see if lon-balancer can redirect users for each
>> request rather than on initial logins only.
>>
>> I would greatly appreciate any thoughts on any of the above ideas.
>>
>> Thanks,
>>
>> Maged
>>
>>
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list