0

I am trying to configure the FreeIPA web interface to work behind my HAProxy instance. I found an old GitHub Gist for the configuration (https://gist.github.com/m4ce/d081ab39654c3e13bbe8b150986526a3) as well as a medium article (https://medium.com/@michalmedvecky/running-freeipa-behind-haproxy-77620736698e) but in both cases they make use of the rspirep command, something which is no longer supported in HAProxy. So far I have got this:

        balance roundrobin
        # Set cookie to ensure same server is used
        cookie SERVERID insert indirect nocache httponly secure

        # Modify headers
        http-request set-header Referer https://1.ipa.example.com/ipa

        # Set cookies domain
        acl hdr_set_cookie_dom_1 res.hdr(Set-cookie) -m sub Domain= 1.ipa.example.com
        http-response replace-header  Set-Cookie ^Domain=1\.ipa\.example\.com(.*)$  Domain=authenticate\.example\.com\1 if hdr_set_cookie_dom_1

        server 1.ipa 1.ipa.example.com:443 check ssl verify none cookie 1

But this just results in the client being redirected from authenticate.example.com to 1.ipa.example.com.

Does anyone have a more up to date guide on how to configure this or any ideas on what might be causing the issues?

Computroniks
  • 3
  • 2

1 Answers1

1

FreeIPA does not support running behind HA proxy, whatever product you'd use for that. I'd suggest you to read https://ssimo.org/blog/id_019.html for basic technical details to understand why is it not supported.

abbra
  • 1,025
  • 5
  • 8
  • I am not trying to run the entire system behind a reverse proxy, just the web interface (i.e port 80 and 443). This article https://www.adelton.com/freeipa/freeipa-behind-load-balancer and this one https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name#front-end-proxy both seem to indicate that it is possible and the site is linked to from the FreeIPA docs page – Computroniks Apr 09 '22 at 19:56
  • As I said, these configurations are not supported. There is no guarantee for changes to survive upgrades, for example. Also, those articles do not detail with the Kerberos principals, as I pointed out. – abbra Apr 11 '22 at 04:01
  • Please note that there is no 'just the web interface' in case of FreeIPA. The whole thing is part of IPA API which is only accessible through Kerberos. Enrolling IPA clients is done through the same end-points that Web UI uses for its operation. This means your IPA client enrollment process will have to deal with it the same way. It is much larger scope than what you seem to realize here. – abbra Apr 11 '22 at 06:28
  • I understand that part. For the clients on the computers and servers I will still use the direct access to the FreeIPA server, it is just for end users accessing the web interface to change a password or details, I don't want them to use the long hostname of the server, rather a shorted one such as ipa.example.com. – Computroniks Apr 11 '22 at 19:36
  • If you want to provide a service to users, I'd suggest you to deploy something like Noggin (Fedora Accounts service) in a separate location instead. https://github.com/fedora-infra/noggin – abbra Apr 12 '22 at 13:12