On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote: > On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote: > > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to > > do this: > > > > <Location "/ipa"> > > <If "%{HTTP_HOST} != 'password.example.net'"> > > AuthType GSSAPI > > This feels strange. The %{HTTP_HOST} is the value of the Host: header > of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64 > on the proxy, the Host: header is the hostname to which the request is > forwarded to (it would be ns01.dev.example.net in your case). After > all, the HTTP proxy is creating completely new HTTP request. > > Could you try to minimize the setup (outside of IPA) to figure out > why your Host: request header seems strange?
Seeing you use mod_nss on the proxy instead of mod_ssl, I've also verified the setup with mod_nss-1.0.12-4.fc23.x86_64 on the proxy. Still, the HTTP_HOST as seen on the FreeIPA server is the FreeIPA server's hostname, not the proxy hostname. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project