One thing I noticed was that once I had set up the proxy as per the document from Jan, I was getting access denied to /ipa until I disabled the Kerberos authentication stuff:
# Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> # AuthType GSSAPI # AuthName "Kerberos Login" # GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab # GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab # GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches # GssapiUseS4U2Proxy on # Require valid-user # ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa </Location> Once that change was made, the following proxy worked: Listen 9443 <VirtualHost *:9443> ErrorLog /etc/httpd/logs/password-error_log TransferLog /etc/httpd/logs/password-access_log LogLevel debug NSSEngine on NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSProxyEngine on NSSProxyCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ProxyPass / https://ns01.dev.example.net/ ProxyPassReverse / https://ns01.dev.example.net/ ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net RequestHeader edit Referer ^https://password\.example\.net/ https://ns01.dev.example.net/ </VirtualHost> I hope this helps someone down the line. -Anthony Clark On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner <[email protected]> wrote: > Thanks a lot Jan. It works perfectly, and it is crystal-clear. > Best, > Karl > > On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora <[email protected]> > wrote: > > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote: > >> > >> Hope this helps. I will likely do another writeup about this setup. > > > > https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name > > > > -- > > Jan Pazdziora > > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
