Join Log in
Score:0
Computroniks avatar Server

Freeipa web interface behind HAProxy

us flag
Computroniks

I am trying to configure the FreeIPA web interface to work behind my HAProxy instance. I found an old GitHub Gist for the configuration (https://gist.github.com/m4ce/d081ab39654c3e13bbe8b150986526a3) as well as a medium article (https://medium.com/@michalmedvecky/running-freeipa-behind-haproxy-77620736698e) but in both cases they make use of the rspirep command, something which is no longer supported in HAProxy. So far I have got this:

        balance roundrobin
        # Set cookie to ensure same server is used
        cookie SERVERID insert indirect nocache httponly secure

        # Modify headers
        http-request set-header Referer https://1.ipa.example.com/ipa

        # Set cookies domain
        acl hdr_set_cookie_dom_1 res.hdr(Set-cookie) -m sub Domain= 1.ipa.example.com
        http-response replace-header  Set-Cookie ^Domain=1\.ipa\.example\.com(.*)$  Domain=authenticate\.example\.com\1 if hdr_set_cookie_dom_1

        server 1.ipa 1.ipa.example.com:443 check ssl verify none cookie 1

But this just results in the client being redirected from authenticate.example.com to 1.ipa.example.com.

Does anyone have a more up to date guide on how to configure this or any ideas on what might be causing the issues?

124
0 + 0
Score:1
avatar Server
ng flag
abbra

FreeIPA does not support running behind HA proxy, whatever product you'd use for that. I'd suggest you to read https://ssimo.org/blog/id_019.html for basic technical details to understand why is it not supported.

0 + 0
Computroniks avatar
us flag
Computroniks
I am not trying to run the entire system behind a reverse proxy, just the web interface (i.e port 80 and 443). This article https://www.adelton.com/freeipa/freeipa-behind-load-balancer and this one https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name#front-end-proxy both seem to indicate that it is possible and the site is linked to from the FreeIPA docs page
0
Reply
ng flag
abbra
As I said, these configurations are not supported. There is no guarantee for changes to survive upgrades, for example. Also, those articles do not detail with the Kerberos principals, as I pointed out.
0
Reply
ng flag
abbra
Please note that there is no 'just the web interface' in case of FreeIPA. The whole thing is part of IPA API which is only accessible through Kerberos. Enrolling IPA clients is done through the same end-points that Web UI uses for its operation. This means your IPA client enrollment process will have to deal with it the same way. It is much larger scope than what you seem to realize here.
0
Reply
Computroniks avatar
us flag
Computroniks
I understand that part. For the clients on the computers and servers I will still use the direct access to the FreeIPA server, it is just for end users accessing the web interface to change a password or details, I don't want them to use the long hostname of the server, rather a shorted one such as ipa.example.com.
0
Reply
ng flag
abbra
If you want to provide a service to users, I'd suggest you to deploy something like Noggin (Fedora Accounts service) in a separate location instead. https://github.com/fedora-infra/noggin
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.