Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-12-08 Thread Simo Sorce 
On Thu, 2016-12-08 at 12:37 +, Klíma David wrote:
> Hi Simo, I think this is not true, because part of IPA web UI is IPA
> JSON API also - and there is problem with loadbalancing, as you can
> see there
> https://www.redhat.com/archives/freeipa-users/2016-October/msg00223.html.

Sorry David,
it is not clear to me what you are objecting to, please be more specific
or quote the specific part of my previous reply that you find
questionable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-12-08 Thread Klíma David 
Hi Simo, I think this is not true, because part of IPA web UI is IPA JSON API 
also - and there is problem with loadbalancing, as you can see there 
https://www.redhat.com/archives/freeipa-users/2016-October/msg00223.html.

David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-11-28 Thread Simo Sorce 
On Sat, 2016-11-26 at 23:18 +0530, deepak dimri wrote:
> Hi All,
> 
> I want to configure Apache reverse proxy to load balance/failover between
> two IPA servers. I have referred
> *https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> * to
> configure reverse proxy and it all works fine with one IPA server but i
> want  to load balance across two IPA Servers using Proxy Balancer module.
> What should be the configuration for RequestHeader edit Referer with Proxy
> balancer? In another thread*
> https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html
>  *Peter
> has mentioned cookie rewriting or 2 VHs and i will try VH option. But it
> will really help and will save my time if some one can share full working
> configuration. I tried below configuration but its failing at RequestHeader
> edit Referer.
> 
> 
> 
> # IPA Server 1
> BalancerMember https://ipa1.int.com/
> # IPA Server 2
> BalancerMember https://ipa2.int.com/
> 
> SSLEngine On
> SSLProxyEngine On
> LogLevel debug
> SSLCertificateFile /etc/apache2/ssl/apache.crt
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> ProxyRequests off
> ProxyPass / balancer://ipacluster/
> ProxyPassReverse / balancer://ipacluster/
> ProxyPassReverseCookieDomain ipa1.int.com ipa.ext.com
> RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa1.int.com/
> ProxyPassReverseCookieDomain ipa2.int.com ipa.ext.com
> RequestHeader edit Referer ^https://ipa\.ext\.com/
> https://ipa2.int.com/
> 
> 

Changing the referer is not sufficient, if you use a different name then
kerberos authentication will fail. You'd have to create a new key for
the new name and distribute it to both server's http keytab so they can
decrypt incoming requests.
However your load balancer then also needs to stick with one server for
all requests coming from the same client, because we use session cookies
to maintain authentication and we do not share them between servers.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA behind Apache Reverse Proxy and Load Balancer

2016-11-26 Thread deepak dimri 
Hi All,

I want to configure Apache reverse proxy to load balance/failover between
two IPA servers. I have referred
*https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
* to
configure reverse proxy and it all works fine with one IPA server but i
want  to load balance across two IPA Servers using Proxy Balancer module.
What should be the configuration for RequestHeader edit Referer with Proxy
balancer? In another thread*
https://www.mail-archive.com/freeipa-users@redhat.com/msg24644.html
 *Peter
has mentioned cookie rewriting or 2 VHs and i will try VH option. But it
will really help and will save my time if some one can share full working
configuration. I tried below configuration but its failing at RequestHeader
edit Referer.



# IPA Server 1
BalancerMember https://ipa1.int.com/
# IPA Server 2
BalancerMember https://ipa2.int.com/

SSLEngine On
SSLProxyEngine On
LogLevel debug
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyRequests off
ProxyPass / balancer://ipacluster/
ProxyPassReverse / balancer://ipacluster/
ProxyPassReverseCookieDomain ipa1.int.com ipa.ext.com
RequestHeader edit Referer ^https://ipa\.ext\.com/
https://ipa1.int.com/
ProxyPassReverseCookieDomain ipa2.int.com ipa.ext.com
RequestHeader edit Referer ^https://ipa\.ext\.com/
https://ipa2.int.com/




Many Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project