On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> do this:
> 
> <Location "/ipa">
>   <If "%{HTTP_HOST} != 'password.example.net'">
>     AuthType GSSAPI

This feels strange. The %{HTTP_HOST} is the value of the Host: header
of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64
on the proxy, the Host: header is the hostname to which the request is
forwarded to (it would be ns01.dev.example.net in your case). After
all, the HTTP proxy is creating completely new HTTP request.

Could you try to minimize the setup (outside of IPA) to figure out
why your Host: request header seems strange?

> > Once that change was made, the following proxy worked:
> >
> > Listen 9443
> >
> > <VirtualHost *:9443>

[...]

> > ProxyPass / https://ns01.dev.example.net/
> > ProxyPassReverse / https://ns01.dev.example.net/
> > ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net
> > RequestHeader edit Referer ^https://password\.example\.net/
> > https://ns01.dev.example.net/

I would have expected this needs to be

        RequestHeader edit Referer ^https://password\.example\.net:9443/ 
https://ns01.dev.example.net/

-- with the nonstandard port specified.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to