01.08.2022

Multiple FreeIPA hosts for HTTP proxy: configuring HAProxy 2+

server one

The path of an engineer in telecom often starts with working in technical support. If you want to develop newcomers into top-notch specialists, you need to give them the opportunity to work on tasks beyond the scope of their duties. We try to help eager young colleagues in their development — it's been one of HOSTKEY's main principles since its foundation. This article is about FreeIPA administration panel proxying through HAProxy, and was written by our technical support engineer, Alexander Tryapkin.

HOSTKEY
Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

Problem

We have three FreeIPA administrative panel hosts (freeipa01.inside.mydomain.ru, freeipa02.inside.mydomain.ru and freeipa03.inside.mydomain.ru). We needed to provide access to them by one domain name: freeipa.mydomain.ru. Despite the seeming simplicity of the task, we had to work hard to solve it, because there were no ready-made recipes for HAProxy version 2.0 and higher on the internet.

Each FreeIPA installation is bound to a different domain name, which means that we will need to edit the headers of incoming and outgoing HTTP requests. The self-service portal must be closed with a valid certificate, and the FreeIPA hosts running on the backend must not be modified so as not to affect client-server communication through the API.

Older versions of HAProxy (1+) used the reqrep/rsprep method to edit HTTP headers. There are instructions on the web for setting up HAProxy and FreeIPA using this method, but in version 2.0 it was marked as deprecated, and in version 2.1 it was removed entirely. Instead of rsprep, we will use the http-response method.

Solution

First, we need to edit the default HAProxy configuration file. There are four sections: global, defaults, frontend and backend. We won't touch the first two (the standard values are enough), but we will describe frontend and backend in detail:

#frontend section
frontend main 
	bind :80
	redirect scheme https code 301 if !{ ssl_fc } # redirect to https frontend main_ssl
	bind :443 ssl crt /etc/haproxy/ssl/ # use certificates from the directory
	use_backend freeipa if { ssl_fc_sni freeipa.mydomain.ru } # if freeipa.mydomain.ru is accessed, use FreeIPA backend
#backend section
backend freeipa
	mode http
	balance roundrobin # distribute the load across the hosts one by one
	cookie SERVERID insert indirect nocache httponly secure # add a cookie to direct traffic based on it
#acl for request based on added cookie
	acl hdr_req_ipa01 req.hdr(Cookie) -m sub ipa01 
	acl hdr_req_ipa02 req.hdr(Cookie) -m sub ipa02 
	acl hdr_req_ipa03 req.hdr(Cookie) -m sub ipa03 
#--------------------------------------------------------------------------
#Depending on which cookie our request is labeled with, we change the Host and Referer headers
	http-request set-header Host freeipa01.inside.mydomain.ru if hdr_req_ipa01
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$  https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa01
	http-request set-header Host freeipa02.inside.mydomain.ru if hdr_req_ipa02
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$ https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa02
	http-request set-header Host freeipa03.inside.mydomain.ru if hdr_req_ipa03
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$ https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa03
#--------------------------------------------------------------------------
#acl for response based on Location header
	acl hdr_ipa01 res.hdr(Location) -m sub freeipa01.inside.mydomain.ru
	acl hdr_ipa02 res.hdr(Location) -m sub freeipa02.inside.mydomain.ru
	acl hdr_ipa03 res.hdr(Location) -m sub freeipa03.inside.mydomain.ru
#--------------------------------------------------------------------------
#Depending on which host the response comes from, we edit the Set-Cookie and Location headers. If we do not edit the Location header we will encounter the following problem: when a user clicks on the freeipa.mydomain.ru link he will be redirected to one of the hosts: freeipa0x.inside.mydomain.ru (this is an important point, omitted in all the manuals we consulted).
	http-response replace-header Set-Cookie ^Domain=freeipa01\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa01
	http-response replace-value Location ^https?://freeipa01\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa01
	http-response replace-header Set-Cookie ^Domain=freeipa02\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa02
	http-response replace-value Location ^https?://freeipa02\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa02
	http-response replace-header Set-Cookie ^Domain=freeipa03\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa03
	http-response replace-value Location ^https?://freeipa03\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa03
#--------------------------------------------------------------------------
#Here we put our FreeIPA hosts
	server ipa01 freeipa01.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa01 weight 9 ssl verify none
	server ipa02 freeipa02.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa02 weight 1 ssl verify none
	server ipa03 freeipa03.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa03 weight 3 ssl verify none
#check port 443 - check if the host is alive on port 443.
#inter 5s - check availability at 5 second intervals. 
#rise 2 fall 5 - if 2 checks say that the host is unavailable, it will be excluded from balancing and returned after 5 successful checks.
#cookie ipa0x - specifies which cookie will be added as the SERVERID insert cookie.
#ssl verify none - SSL certificate termination, ignoring errors.
#weight 3 - specifies load balancing priority.

There is also the possibility of encountering an annoying authorization window in Chrome, Edge, IE and some other browsers.

The appearance of this window is described in this bug report, which contains a solution to the problem, but with HAProxy you can solve the problem without changing the host configuration. To do that, we add the following line to the backend section of the configuration file:

http-response del-header www-authenticate

It will remove the header responsible for the intrusive window.

Conclusion

HOSTKEY always supports the initiative of its employees, which has a positive effect on the customer experience and development of the company. Not only do we help our specialists to develop and make a career (which again is beneficial for us as the employer), but we also get useful solutions for our customers, as well as interesting entries for the company blog. We hope that this solution will come in handy for our readers.

Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

Other articles

11.11.2022

How to ignore tmpfs, udf, iso9660 when dealing with filesystem metrics

How to avoid issues using Foreman when installing Windows OS?

31.10.2022

Monitoring Linux Services with Prometheus

Monitoring services and implementing an alert system on Linux servers with Prometheus.

31.10.2022

Using Prometheus + Alertmanager + Node Exporter to monitor a company's geo-distributed infrastructure.

How to implement an effective monitoring system to track equipment operation and quickly detect server failures.

17.10.2022

Migrating Virtual Servers to oVirt

Develop and apply a convenient scheme for transferring servers from the old oVirt Engine 4.2 infrastructure to the new oVirt Engine 4.5 infrastructure.

11.10.2022

Wazuh from the point of view of a Windows Administrator

How to choose a solution that will ensure a stable file configuration on servers and reliable alerts in event these files change.

HOSTKEY Dedicated servers and cloud solutions Pre-configured and custom dedicated servers. AMD, Intel, GPU cards, Free DDoS protection amd 1Gbps unmetered port 30
4.3 67 67
Upload