On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote:
> On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> > do this:
> >
> > <Location "/ipa">
> > <If "%{HTTP_HOST} != 'password.example.net'">
> > AuthType GSSAPI
>
> This feels strange. The %{HTTP_HOST} is the value of the Host: header
> of the HTTP request. And on my setup, with httpd-2.4.18-1.fc23.x86_64
> on the proxy, the Host: header is the hostname to which the request is
> forwarded to (it would be ns01.dev.example.net in your case). After
> all, the HTTP proxy is creating completely new HTTP request.
>
> Could you try to minimize the setup (outside of IPA) to figure out
> why your Host: request header seems strange?
Seeing you use mod_nss on the proxy instead of mod_ssl, I've also
verified the setup with mod_nss-1.0.12-4.fc23.x86_64 on the proxy.
Still, the HTTP_HOST as seen on the FreeIPA server is the FreeIPA
server's hostname, not the proxy hostname.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
