On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote:
> On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> > do this:
> > 
> > <Location "/ipa">
> >   <If "%{HTTP_HOST} != 'password.example.net'">
> >     AuthType GSSAPI
> This feels strange. The %{HTTP_HOST} is the value of the Host: header
> of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64
> on the proxy, the Host: header is the hostname to which the request is
> forwarded to (it would be ns01.dev.example.net in your case). After
> all, the HTTP proxy is creating completely new HTTP request.
> Could you try to minimize the setup (outside of IPA) to figure out
> why your Host: request header seems strange?

Seeing you use mod_nss on the proxy instead of mod_ssl, I've also
verified the setup with mod_nss-1.0.12-4.fc23.x86_64 on the proxy.
Still, the HTTP_HOST as seen on the FreeIPA server is the FreeIPA
server's hostname, not the proxy hostname.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to