I am trying to configure the FreeIPA web interface to work behind my HAProxy instance. I found an old GitHub Gist for the configuration (https://gist.github.com/m4ce/d081ab39654c3e13bbe8b150986526a3) as well as a medium article (https://medium.com/@michalmedvecky/running-freeipa-behind-haproxy-77620736698e) but in both cases they make use of the rspirep command, something which is no longer supported in HAProxy. So far I have got this:
balance roundrobin
# Set cookie to ensure same server is used
cookie SERVERID insert indirect nocache httponly secure
# Modify headers
http-request set-header Referer https://1.ipa.example.com/ipa
# Set cookies domain
acl hdr_set_cookie_dom_1 res.hdr(Set-cookie) -m sub Domain= 1.ipa.example.com
http-response replace-header Set-Cookie ^Domain=1\.ipa\.example\.com(.*)$ Domain=authenticate\.example\.com\1 if hdr_set_cookie_dom_1
server 1.ipa 1.ipa.example.com:443 check ssl verify none cookie 1
But this just results in the client being redirected from authenticate.example.com to 1.ipa.example.com.
Does anyone have a more up to date guide on how to configure this or any ideas on what might be causing the issues?
Best Answer
FreeIPA does not support running behind HA proxy, whatever product you'd use for that. I'd suggest you to read https://ssimo.org/blog/id_019.html for basic technical details to understand why is it not supported.