Re: [Freeipa-users] IPA rewrite conf
On Mon, Nov 28, 2016 at 03:09:51PM +, Deepak Dimri wrote: > Hi Jan, sorry to ask but where exactly i can modify the referer with > RequestHeader on IPA Server? > I've now described the load-balancing setup for WebUI with FreeIPA replicas at https://www.adelton.com/freeipa/freeipa-behind-load-balancer Hope this helps, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA rewrite conf
Hi Jan, sorry to ask but where exactly i can modify the referer with RequestHeader on IPA Server? Many Thanks, Deepak From: Jan Pazdziora <jpazdzi...@redhat.com> Sent: Monday, November 28, 2016 8:09 AM To: Deepak Dimri Cc: deepak dimri; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA rewrite conf On Mon, Nov 28, 2016 at 11:25:30AM +, Deepak Dimri wrote: > Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB. > > > I have seen the link you shared below. My issue is that i want my IPA > servers in Failover/Load Balancing mode and when i add another IPA server > using Proxy balancer i believe ProxyPassReverseCookieDomain and > RequestHeader edit Referer directives does not work for me. Basically I am > trying to make the balancer to work with below configuration but its failing > at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives > level: > What error do you get when it fails? > > > # IPA Server 1 > BalancerMember https://ipa1.int.example.com/ > # IPA Server 2 > BalancerMember https://ipa2.int.example.com/ > > SSLProxyEngine on > ProxyPass / balancer://ipacluster/ > ProxyPassReverse / balancer://ipacluster/ > ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com > RequestHeader edit Referer ^https://webipa\.example\.com/ > https://ipa1.int.example.com/ > ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com > RequestHeader edit Referer ^https://webipa\.example\.com/ > https://ipa2.int.example.com/ > > > I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer > can be configured in this scenario along with Proxy balancer? I don't see why ProxyPassReverseCookieDomain should fail. With RequestHeader, I suspect only one change will be done because after the first change, the value of the Referer header already contains name of one of the replicas. Could you try modifying the Referer with the RequestHeader directly on the IPA server, instead of on the balancer machine? On the IPA server, you already know what name you want to set it to. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA rewrite conf
On Mon, Nov 28, 2016 at 11:25:30AM +, Deepak Dimri wrote: > Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB. > > > I have seen the link you shared below. My issue is that i want my IPA > servers in Failover/Load Balancing mode and when i add another IPA server > using Proxy balancer i believe ProxyPassReverseCookieDomain and > RequestHeader edit Referer directives does not work for me. Basically I am > trying to make the balancer to work with below configuration but its failing > at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives > level: > What error do you get when it fails? > > > # IPA Server 1 > BalancerMember https://ipa1.int.example.com/ > # IPA Server 2 > BalancerMember https://ipa2.int.example.com/ > > SSLProxyEngine on > ProxyPass / balancer://ipacluster/ > ProxyPassReverse / balancer://ipacluster/ > ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com > RequestHeader edit Referer ^https://webipa\.example\.com/ > https://ipa1.int.example.com/ > ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com > RequestHeader edit Referer ^https://webipa\.example\.com/ > https://ipa2.int.example.com/ > > > I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer > can be configured in this scenario along with Proxy balancer? I don't see why ProxyPassReverseCookieDomain should fail. With RequestHeader, I suspect only one change will be done because after the first change, the value of the Referer header already contains name of one of the replicas. Could you try modifying the Referer with the RequestHeader directly on the IPA server, instead of on the balancer machine? On the IPA server, you already know what name you want to set it to. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA rewrite conf
Hi Jan, Thanks for your reply. Sorry for the typo its AWS ELB. I have seen the link you shared below. My issue is that i want my IPA servers in Failover/Load Balancing mode and when i add another IPA server using Proxy balancer i believe ProxyPassReverseCookieDomain and RequestHeader edit Referer directives does not work for me. Basically I am trying to make the balancer to work with below configuration but its failing at the ProxyPassReverseCookieDomain and RequestHeader edit Referer directives level: # IPA Server 1 BalancerMember https://ipa1.int.example.com/ # IPA Server 2 BalancerMember https://ipa2.int.example.com/ SSLProxyEngine on ProxyPass / balancer://ipacluster/ ProxyPassReverse / balancer://ipacluster/ ProxyPassReverseCookieDomain ipa1.int.example.com webipa.example.com RequestHeader edit Referer ^https://webipa\.example\.com/ https://ipa1.int.example.com/ ProxyPassReverseCookieDomain ipa2.int.example.com webipa.example.com RequestHeader edit Referer ^https://webipa\.example\.com/ https://ipa2.int.example.com/ I am not sure how ProxyPassReverseCookieDomain and RequestHeader edit Referer can be configured in this scenario along with Proxy balancer? Regards, Deepak From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf of Jan Pazdziora <jpazdzi...@redhat.com> Sent: Monday, November 28, 2016 3:04 AM To: deepak dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA rewrite conf On Sun, Nov 27, 2016 at 01:06:36PM +0530, deepak dimri wrote: > Hi All, > > I am posting my issue here with an hope that i get a response. > > I have WS ELB configured to connect to FreeIPA servers on Ubuntu. My > FreeIPA servers are in private subnets. I am able to access my test > index.html page deployed on the FreeIPA server by hitting https:// url>/index.html. However when i try IPA UI https:///ipa/ui then i > am getting redirected to my internal IPA address which then resulting to > "site cannot be reached" error. I am wondering if i have an option of > tweaking my /usr/share/ipa/ipa-rewrite.conf file so that i can access IPA > UI using external ELB URL? > > Would appreciate if some one can give some pointers I don't know what WS ELB is but maybe https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name can get you started? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA rewrite conf with AWS ELB
Hi All, I am posting my issue here with an hope that i get a response. I have AWS ELB configured to connect to FreeIPA servers on Ubuntu. My FreeIPA servers are in private subnets. I am able to access my test index.html page deployed on the FreeIPA server by hitting https:///index.html. However when i try IPA UI https:///ipa/ui then i am getting redirected to my internal IPA address which then resulting to "site cannot be reached" error. I am wondering if i have an option of tweaking my /etc/httpd/conf.d/ipa-rewrite.conf file so that i can access IPA UI using external ELB URL? I see ipa-rewrite.conf is hardcoded with my internal IPA server URLs. Would appreciate if some one can give some pointers Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA rewrite conf
Hi All, I am posting my issue here with an hope that i get a response. I have WS ELB configured to connect to FreeIPA servers on Ubuntu. My FreeIPA servers are in private subnets. I am able to access my test index.html page deployed on the FreeIPA server by hitting https:///index.html. However when i try IPA UI https:///ipa/ui then i am getting redirected to my internal IPA address which then resulting to "site cannot be reached" error. I am wondering if i have an option of tweaking my /usr/share/ipa/ipa-rewrite.conf file so that i can access IPA UI using external ELB URL? Would appreciate if some one can give some pointers Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project