[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy
Piotr Baranowski
piotr.baranowski at osec.pl
Wed Jun 17 18:59:30 UTC 2015
----- 17 cze 2015 o 16:45, Piotr Baranowski piotr.baranowski at osec.pl napisał(a):
> ----- 17 cze 2015 o 16:21, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>
>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>>>
>>>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>>>----- Oryginalna wiadomość -----
>>>>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>>> So you have two different certificates in use here and your client
>>>>>> doesn't know about the other certificate (from your proxy). You need
>>>>>> either to deliver that certificate to the client by yourself or change
>>>>>> your proxying technology to something different.
>>>>>>
>>>>>> For example, you can use sniproxy which doesn't require in-the-middle
>>>>>> certificate. https://github.com/dlundquist/sniproxy
>>>>>
>>>>>Thanks for that hint. I'll have a look at that.
>>>>>
>>>>>However I have an Idea:
>>>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>>>>mod_ssl that probably could solve the issue.
>>>>>
>>>>>Right?
>>>> Sort of. Now you would have an issue of maintaining the certificate in
>>>> multiple locations which would make rotation of it "interesting", so to
>>>> say.
>>>
>>>Those would be only TWO certificates to manage. What's the challenge here?
>> FreeIPA uses certmonger to rotate certificates when time approaches
>> their expiration. Certmonger requests new certificate from the CA. In
>> case you copied the certificate to some other server, you would need to
>> manually maintain the other copy and there will be a period when IPA
>> webserver's certificate would already be rotated but yours isn't.
>>
>> Setting certmonger to rotate the same certificate from two locations
>> wouldn't work.
>>
>> I'm not saying it is hard, just that you should know what you are
>> dealing with and accept window of blackout.
>
> Good to know that.
> Thanks for the heads-up.
>
> I already exported the IPA CA cert, Server-Cert cert/key.
> I'll have to wait untill maintenance window before i reload my apache.
>
> Will keep you posted if that solved the problem.
So, the challenge was really not that difficult. I guess some of you may want to know how to do that and what are benefits.
So firstly your ipa can be nicely hidden in the DMZ and it's access can be nicely controlled/proxied (mod_security anyone???)
As I mentioned in the original email, tcp/udp traffic to IPA is DNATed using firewalld.
The http/https traffic is proxied using mod_proxy/mod_ssl
First part can be achieved on CentOS7.1/RHEL 7.1 like this: (assuming PUBLIC is your external network and 10.20.30.40 is the IP of IPA Server)
firewall-cmd --zone=public --add-forward-port=port=389:proto=tcp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=636:proto=tcp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=53:proto=tcp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=123:proto=udp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=88:proto=udp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=88:proto=tcp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=464:proto=tcp:toaddr=10.20.30.40
firewall-cmd --zone=public --add-forward-port=port=464:proto=udp:toaddr=10.20.30.40
If like in my case your perimeter server acts as an actual webserver and need to proxy the http/https requests you may setup a namebased vhost to pass traffic to target ipa server.
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://10.20.30.40/ timeout=300 keepalive=On
ServerName ipa.fqdn.tld
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/freeipa.crt
SSLCertificateKeyFile /etc/pki/tls/private/freeipa.key
SSLCACertificateFile /etc/pki/tls/certs/freeipa-ca.crt
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://10.20.30.40/ timeout=300 keepalive=On
ServerName ipa.fqdn.tld
</VirtualHost>
Actual IPA uses NSS (mod_nss) while proxy server runs using mod_ssl.
It is necessary to extract CA cert, server key and server crt from IPA and plant them on the proxy host.
First check the nicknames of the certs in the NSS database:
certutil -L -d /etc/httpd/alias/
Extract IPA Server Cert:
certutil -L -d /etc/httpd/alias/ -a -n 'Server-Cert' > ipa.crt
Extract IPA Server private key:
pk12util -o ipakey.p12 -n 'Server-Cert' -d /etc/httpd/alias/
Extract IPA CA cert:
certutil -L -d /etc/httpd/alias/ -a -n 'YOURREALM.TLD IPA CA' > ipa-ca.crt
Convert Private key:
openssl pkcs12 -in ipakey.p12 -out ipa.key -nodes
Transfer files to appropriate locations on the proxy server (/etc/pki/tls/{certs,private} most likely)
apachectl configtest on the proxy server
If it validates feel free to restart apache to apply changes.
The client systems connecting from PUBLIC networks can successfuly execute ipa-client-install as well as access IPA WebUI.
It works for me,
I'll be happy to see your criticism if my little hack has a weak point.
Best regards
Piotr Baranowski
More information about the Freeipa-users
mailing list