[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy

Piotr Baranowski piotr.baranowski at osec.pl
Wed Jun 17 18:59:30 UTC 2015 

----- 17 cze 2015 o 16:45, Piotr Baranowski piotr.baranowski at osec.pl napisał(a):

> ----- 17 cze 2015 o 16:21, Alexander Bokovoy abokovoy at redhat.com napisał(a):
> 
>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>>>
>>>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>>>----- Oryginalna wiadomość -----
>>>>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>>>> So you have two different certificates in use here and your client
>>>>>> doesn't know about the other certificate (from your proxy). You need
>>>>>> either to deliver that certificate to the client by yourself or change
>>>>>> your proxying technology to something different.
>>>>>>
>>>>>> For example, you can use sniproxy which doesn't require in-the-middle
>>>>>> certificate. https://github.com/dlundquist/sniproxy
>>>>>
>>>>>Thanks for that hint. I'll have a look at that.
>>>>>
>>>>>However I have an Idea:
>>>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>>>>mod_ssl that probably could solve the issue.
>>>>>
>>>>>Right?
>>>> Sort of. Now you would have an issue of maintaining the certificate in
>>>> multiple locations which would make rotation of it "interesting", so to
>>>> say.
>>>
>>>Those would be only TWO certificates to manage. What's the challenge here?
>> FreeIPA uses certmonger to rotate certificates when time approaches
>> their expiration. Certmonger requests new certificate from the CA. In
>> case you copied the certificate to some other server, you would need to
>> manually maintain the other copy and there will be a period when IPA
>> webserver's certificate would already be rotated but yours isn't.
>> 
>> Setting certmonger to rotate the same certificate from two locations
>> wouldn't work.
>> 
>> I'm not saying it is hard, just that you should know what you are
>> dealing with and accept window of blackout.
> 
> Good to know that.
> Thanks for the heads-up.
> 
> I already exported the IPA CA cert, Server-Cert cert/key.
> I'll have to wait untill maintenance window before i reload my apache.
> 
> Will keep you posted if that solved the problem.

So, the challenge was really not that difficult. I guess some of you may want to know how to do that and what are benefits.

So firstly your ipa can be nicely hidden in the DMZ and it's access can be nicely controlled/proxied (mod_security anyone???)

As I mentioned in the original email, tcp/udp traffic to IPA is DNATed using firewalld.
The http/https traffic is proxied using mod_proxy/mod_ssl

First part can be achieved on CentOS7.1/RHEL 7.1 like this: (assuming PUBLIC is your external network and 10.20.30.40 is the IP of IPA Server)

 firewall-cmd --zone=public --add-forward-port=port=389:proto=tcp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=636:proto=tcp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=53:proto=tcp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=123:proto=udp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=88:proto=udp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=88:proto=tcp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=464:proto=tcp:toaddr=10.20.30.40
 firewall-cmd --zone=public --add-forward-port=port=464:proto=udp:toaddr=10.20.30.40

If like in my case your perimeter server acts as an actual webserver and need to proxy the http/https requests you may setup a namebased vhost to pass traffic to target ipa server.

<VirtualHost *:80>
   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass / http://10.20.30.40/ timeout=300 keepalive=On
   ServerName ipa.fqdn.tld
</VirtualHost>

<VirtualHost *:443>
   SSLEngine On
   SSLProxyEngine On
   SSLCertificateFile /etc/pki/tls/certs/freeipa.crt
   SSLCertificateKeyFile /etc/pki/tls/private/freeipa.key
   SSLCACertificateFile /etc/pki/tls/certs/freeipa-ca.crt
   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass / https://10.20.30.40/ timeout=300 keepalive=On
   ServerName ipa.fqdn.tld
</VirtualHost>

Actual IPA uses NSS (mod_nss) while proxy server runs using mod_ssl.

It is necessary to extract CA cert, server key and server crt from IPA and plant them on the proxy host.

First check the nicknames of the certs in the NSS database:
 certutil -L -d /etc/httpd/alias/

Extract IPA Server Cert:
 certutil -L -d /etc/httpd/alias/ -a -n 'Server-Cert' > ipa.crt

Extract IPA Server private key:
 pk12util -o ipakey.p12 -n 'Server-Cert' -d /etc/httpd/alias/ 

Extract IPA CA cert:
 certutil -L -d /etc/httpd/alias/ -a -n 'YOURREALM.TLD IPA CA' > ipa-ca.crt

Convert Private key:
 openssl pkcs12 -in ipakey.p12 -out ipa.key -nodes

Transfer files to appropriate locations on the proxy server (/etc/pki/tls/{certs,private} most likely)

apachectl configtest on the proxy server
If it validates feel free to restart apache to apply changes.

The client systems connecting from PUBLIC networks can successfuly execute ipa-client-install as well as access IPA WebUI.

It works for me, 
I'll be happy to see your criticism if my little hack has a weak point.

Best regards
Piotr Baranowski

More information about the Freeipa-users mailing list