[Freeipa-users] IPA rewrite conf

[Jan Pazdziora]

On Mon, Nov 28, 2016 at 11:25:30AM +0000, Deepak Dimri wrote:
> Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB.
> 
> 
> I have seen the link you shared below.  My issue is that i want my IPA servers in Failover/Load Balancing mode and  when i add another IPA server using Proxy balancer  i believe  ProxyPassReverseCookieDomain and RequestHeader edit Referer directives does not work for me.  Basically I am trying to make the balancer to work with below configuration but its failing at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives level:
> 

What error do you get when it fails?

> <VirtualHost _default_:443>
> <Proxy balancer://ipacluster>
> # IPA Server 1
> BalancerMember https://ipa1.int.example.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.example.com/
> </Proxy>
> SSLProxyEngine on
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ https://ipa1.int.example.com/
> ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com
> RequestHeader edit Referer ^https://webipa\.example\.com/ https://ipa2.int.example.com/
> </VirtualHost>
> 
> I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer can be configured in this scenario along with Proxy balancer?

I don't see why ProxyPassReverseCookieDomain should fail.

With RequestHeader, I suspect only one change will be done because
after the first change, the value of the Referer header already
contains name of one of the replicas.

Could you try modifying the Referer with the RequestHeader directly
on the IPA server, instead of on the balancer machine? On the IPA
server, you already know what name you want to set it to.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat