[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy

Piotr Baranowski piotr.baranowski at osec.pl
Wed Jun 17 12:09:05 UTC 2015 

Hi list! 

I have a challenging setup i need some help with. 

My topology: 
EXTERNAL CLIENTS <-> INTERNET <-> SERVER <-> IPA <-> INTERNAL CLIENTS 

There is no problem with Internal clients. They register/enroll and then work like a charm. 
The challenge is how external access IPA server. 

Firewall does a DNAT from external interface to internal one 

DNATed services are: 
389/tcp 
646/tcp 
464/tcp 
53/tcp 
88/tcp 
and 
464/udp 
53/udp 
88/udp 

I'm using apache with mod_proxy config to pass http/https traffic from clients to actual ipa server. 
It's done using following config: 

<VirtualHost *:80> 
ProxyPreserveHost On 
ProxyRequests Off 
ProxyPass / http://A.B.C.D/ timeout=300 keepalive=On 
ServerName id.osec.pl 
</VirtualHost> 

<VirtualHost *:443> 
SSLEngine On 
SSLProxyEngine On 
SSLCertificateFile /etc/pki/tls/certs/osec.crt 
SSLCertificateKeyFile /etc/pki/tls/private/osec.key 
SSLCACertificateFile /etc/pki/tls/certs/certum.crt 
ProxyPreserveHost On 
ProxyRequests Off 
ProxyPass / https://A.B.C.D/ timeout=300 keepalive=On 
ServerName id.osec.pl 
</VirtualHost> 

DNS SRV records are setup correctly and autodiscovery works. 

When I run ipa-client-install --mkhomedir i get a nicely working setup. 
External clients complain about ssl cert: 

[root at biuro1 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as 
conflicting service (chronyd) is enabled 
Use --force-ntpd option to disable it and force configuration of ntpd 

Using existing certificate '/etc/ipa/ca.crt'. 
Discovery was successful! 
Hostname: biuro1.osec.pl 
Realm: OSEC.PL 
DNS Domain: osec.pl 
IPA Server: id.osec.pl 
BaseDN: dc=osec,dc=pl 

Continue to configure the system with these values? [no]: yes 
Synchronizing time with KDC... 
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. 
User authorized to enroll computers: admin 
Password for admin at OSEC.PL : 
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: Peer's certificate issuer has been marked as not trusted by the user. 

It seems that client does not like the cert presented by "proxying" server. 

Am I doing something fundamentally wrong here? 
Can registration process be proxied by apache/mod_proxy? 

best regards 
-- 
Piotr Baranowski 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150617/bc052c3a/attachment.htm>

More information about the Freeipa-users mailing list