<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 14/11/16 20:39, Troels Hansen wrote:<br> </div> <blockquote cite="mid:23084521.863767.1479116370701.JavaMail.zimbra@casalogic.dk" type="cite"> <div style="font-family: arial,helvetica,sans-serif; font-size: 12pt; color: #000000"> <div><br> </div> <div><br> </div> <div><span id="zwchr" data-marker="__DIVIDER__">----- On Nov 14, 2016, at 9:38 AM, Peter Fern <a class="moz-txt-link-rfc2396E" href="mailto:freeipa@0xc0dedbad.com"><freeipa@0xc0dedbad.com></a> wrote:<br> </span></div> <div data-marker="__QUOTED_TEXT__"> <blockquote style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><br class="moz-cite-prefix"> <p>I'd be interested to hear from anyone who has a working recipe for HA/load-balancing (with HAProxy preferably). Cookie rewriting is doable, but I can't see a way to rewrite the referrer for multiple backend hosts.</p> </blockquote> <div><br> </div> <div>One (quite hack-ish) way of doing it could be:</div> <div>2 apache vhosts, one pointing to one IPA server, set up like <a class="moz-txt-link-freetext" href="https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name">https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name</a></div> <div><br> </div> <div> <pre class="programlisting">SSLProxyEngine on ProxyPass / <a class="moz-txt-link-freetext" href="https://ipa.int.example.com/">https://ipa.int.example.com/</a> ProxyPassReverse / <a class="moz-txt-link-freetext" href="https://ipa.int.example.com/">https://ipa.int.example.com/</a> ProxyPassReverseCookieDomain ipa.int.example.com webipa.example.com RequestHeader edit Referer ^https://webipa\.example\.com/ <a class="moz-txt-link-freetext" href="https://ipa.int.example.com/">https://ipa.int.example.com/</a> </pre> Then set up a second HA using HAproxy or Apache (with sticky session) pointing to the two Apache IPA vhosts.<br> </div> <div>Thoug, not quite sure what will happen if you hit a down IPA server, but you should be able to configure that in the HA...<br data-mce-bogus="1"> </div> </div> </div> </blockquote> <p>Ah, good thought - I hadn't considered hacking the referrer on the Apache side.</p> <p>I used only the RequestHeader edit on the Apache server for each IPA server, since it can co-exist with direct access, and did the cookie rewriting on the HAProxy side, since that should only happen when accessed via the balancer. Appears to be working with some quick testing. Below is my HAProxy backend, in case it helps someone:<br> </p> <pre>backend ipa-ssl # Rewrite cookie domain acl ipa1_int_cookie_dom res.hdr(Set-cookie) -m sub Domain=ipa1.int.example.com rspirep ^(Set-Cookie:.*)\ Domain=ipa1.int.example.com(.*) \1\ Domain=ipa.example.com\2 if ipa1_int_cookie_dom acl ipa2_int_cookie_dom res.hdr(Set-cookie) -m sub Domain=ipa2.int.example.com rspirep ^(Set-Cookie:.*)\ Domain=ipa2.int.example.com(.*) \1\ Domain=ipa.example.com\2 if ipa2_int_cookie_dom # Sticky sessions cookie ipa_session prefix nocache server ipa1 ipa1.int.example.com:443 check cookie ipa1 ssl ca-file /etc/ipa/ca.crt server ipa2 ipa2.int.example.com:443 check cookie ipa2 ssl ca-file /etc/ipa/ca.crt </pre> </body> </html>