[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Anthony Clark
anthonyclarka2 at gmail.com
Tue Jun 7 15:01:12 UTC 2016
Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
do this:
<Location "/ipa">
<If "%{HTTP_HOST} != 'password.example.net'">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</If>
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
</Location>
Apologies for the post spam.
On Tue, Jun 7, 2016 at 9:50 AM, Anthony Clark <anthonyclarka2 at gmail.com>
wrote:
> One thing I noticed was that once I had set up the proxy as per the
> document from Jan, I was getting access denied to /ipa until I disabled the
> Kerberos authentication stuff:
>
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> <Location "/ipa">
> # AuthType GSSAPI
> # AuthName "Kerberos Login"
> # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
> # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
> # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
> # GssapiUseS4U2Proxy on
> # Require valid-user
> # ErrorDocument 401 /ipa/errors/unauthorized.html
> WSGIProcessGroup ipa
> WSGIApplicationGroup ipa
> </Location>
>
>
>
> Once that change was made, the following proxy worked:
>
> Listen 9443
>
> <VirtualHost *:9443>
>
> ErrorLog /etc/httpd/logs/password-error_log
> TransferLog /etc/httpd/logs/password-access_log
> LogLevel debug
>
> NSSEngine on
>
> NSSCipherSuite
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
> NSSNickname Server-Cert
>
> NSSCertificateDatabase /etc/httpd/alias
>
> NSSProxyEngine on
> NSSProxyCipherSuite
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> ProxyPass / https://ns01.dev.example.net/
> ProxyPassReverse / https://ns01.dev.example.net/
> ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net
> RequestHeader edit Referer ^https://password\.example\.net/
> https://ns01.dev.example.net/
> </VirtualHost>
>
> I hope this helps someone down the line.
>
> -Anthony Clark
>
>
> On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner <karl.forner at gmail.com> wrote:
>
>> Thanks a lot Jan. It works perfectly, and it is crystal-clear.
>> Best,
>> Karl
>>
>> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora <jpazdziora at redhat.com>
>> wrote:
>> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>> >>
>> >> Hope this helps. I will likely do another writeup about this setup.
>> >
>> >
>> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>> >
>> > --
>> > Jan Pazdziora
>> > Senior Principal Software Engineer, Identity Management Engineering,
>> Red Hat
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160607/8313757f/attachment.htm>
More information about the Freeipa-users
mailing list