[Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

Simo Sorce simo at redhat.com
Mon Nov 28 12:03:13 UTC 2016 

On Sat, 2016-11-26 at 23:18 +0530, deepak dimri wrote:
> Hi All,
> 
> I want to configure Apache reverse proxy to load balance/failover between
> two IPA servers. I have referred
> *https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> <https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name>* to
> configure reverse proxy and it all works fine with one IPA server but i
> want  to load balance across two IPA Servers using Proxy Balancer module.
> What should be the configuration for RequestHeader edit Referer with Proxy
> balancer? In another thread*
> https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html
> <https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html> *Peter
> has mentioned cookie rewriting or 2 VHs and i will try VH option. But it
> will really help and will save my time if some one can share full working
> configuration. I tried below configuration but its failing at RequestHeader
> edit Referer.
> 
> <VirtualHost *:443>
>         <Proxy balancer://ipacluster>
>         # IPA Server 1
>                 BalancerMember https://ipa1.int.com/
>         # IPA Server 2
>                 BalancerMember https://ipa2.int.com/
>         </Proxy>
>         SSLEngine On
>         SSLProxyEngine On
>         LogLevel debug
>         SSLCertificateFile /etc/apache2/ssl/apache.crt
>         SSLCertificateKeyFile /etc/apache2/ssl/apache.key
>         ProxyRequests off
>         ProxyPass / balancer://ipacluster/
>         ProxyPassReverse / balancer://ipacluster/
>         ProxyPassReverseCookieDomain ipa1.int.com ipa.ext.com
>         RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa1.int.com/
>         ProxyPassReverseCookieDomain ipa2.int.com ipa.ext.com
>         RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa2.int.com/
> 
> </VirtualHost>

Changing the referer is not sufficient, if you use a different name then
kerberos authentication will fail. You'd have to create a new key for
the new name and distribute it to both server's http keytab so they can
decrypt incoming requests.
However your load balancer then also needs to stick with one server for
all requests coming from the same client, because we use session cookies
to maintain authentication and we do not share them between servers.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list