One thing I noticed was that once I had set up the proxy as per the
document from Jan, I was getting access denied to /ipa until I disabled the
Kerberos authentication stuff:

# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
#  AuthType GSSAPI
#  AuthName "Kerberos Login"
#  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
#  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
#  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
#  GssapiUseS4U2Proxy on
#  Require valid-user
#  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
</Location>



Once that change was made, the following proxy worked:

Listen 9443

<VirtualHost *:9443>

ErrorLog /etc/httpd/logs/password-error_log
TransferLog /etc/httpd/logs/password-access_log
LogLevel debug

NSSEngine on

NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

NSSNickname Server-Cert

NSSCertificateDatabase /etc/httpd/alias

NSSProxyEngine on
NSSProxyCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

ProxyPass / https://ns01.dev.example.net/
ProxyPassReverse / https://ns01.dev.example.net/
ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net
RequestHeader edit Referer ^https://password\.example\.net/
https://ns01.dev.example.net/
</VirtualHost>

I hope this helps someone down the line.

-Anthony Clark


On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner <karl.for...@gmail.com> wrote:

> Thanks a lot Jan. It works perfectly, and it is crystal-clear.
> Best,
> Karl
>
> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora <jpazdzi...@redhat.com>
> wrote:
> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
> >>
> >> Hope this helps. I will likely do another writeup about this setup.
> >
> > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> >
> > --
> > Jan Pazdziora
> > Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to