01.08.2022

Multiple FreeIPA hosts for HTTP proxy: configuring HAProxy 2+

server one

The path of an engineer in telecom often starts with working in technical support. If you want to develop newcomers into top-notch specialists, you need to give them the opportunity to work on tasks beyond the scope of their duties. We try to help eager young colleagues in their development — it's been one of HOSTKEY's main principles since its foundation. This article is about FreeIPA administration panel proxying through HAProxy, and was written by our technical support engineer, Alexander Tryapkin.

HOSTKEY
Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

Problem

We have three FreeIPA administrative panel hosts (freeipa01.inside.mydomain.ru, freeipa02.inside.mydomain.ru and freeipa03.inside.mydomain.ru). We needed to provide access to them by one domain name: freeipa.mydomain.ru. Despite the seeming simplicity of the task, we had to work hard to solve it, because there were no ready-made recipes for HAProxy version 2.0 and higher on the internet.

Each FreeIPA installation is bound to a different domain name, which means that we will need to edit the headers of incoming and outgoing HTTP requests. The self-service portal must be closed with a valid certificate, and the FreeIPA hosts running on the backend must not be modified so as not to affect client-server communication through the API.

Older versions of HAProxy (1+) used the reqrep/rsprep method to edit HTTP headers. There are instructions on the web for setting up HAProxy and FreeIPA using this method, but in version 2.0 it was marked as deprecated, and in version 2.1 it was removed entirely. Instead of rsprep, we will use the http-response method.

Solution

First, we need to edit the default HAProxy configuration file. There are four sections: global, defaults, frontend and backend. We won't touch the first two (the standard values are enough), but we will describe frontend and backend in detail:

#frontend section
frontend main 
	bind :80
	redirect scheme https code 301 if !{ ssl_fc } # redirect to https frontend main_ssl
	bind :443 ssl crt /etc/haproxy/ssl/ # use certificates from the directory
	use_backend freeipa if { ssl_fc_sni freeipa.mydomain.ru } # if freeipa.mydomain.ru is accessed, use FreeIPA backend
#backend section
backend freeipa
	mode http
	balance roundrobin # distribute the load across the hosts one by one
	cookie SERVERID insert indirect nocache httponly secure # add a cookie to direct traffic based on it
#acl for request based on added cookie
	acl hdr_req_ipa01 req.hdr(Cookie) -m sub ipa01 
	acl hdr_req_ipa02 req.hdr(Cookie) -m sub ipa02 
	acl hdr_req_ipa03 req.hdr(Cookie) -m sub ipa03 
#--------------------------------------------------------------------------
#Depending on which cookie our request is labeled with, we change the Host and Referer headers
	http-request set-header Host freeipa01.inside.mydomain.ru if hdr_req_ipa01
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$  https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa01
	http-request set-header Host freeipa02.inside.mydomain.ru if hdr_req_ipa02
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$ https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa02
	http-request set-header Host freeipa03.inside.mydomain.ru if hdr_req_ipa03
	http-request replace-header Referer ^https?://freeipa\.mydomain\.ru(.*)$ https://freeipa01\.inside\.mydomain\.ru\1 if hdr_req_ipa03
#--------------------------------------------------------------------------
#acl for response based on Location header
	acl hdr_ipa01 res.hdr(Location) -m sub freeipa01.inside.mydomain.ru
	acl hdr_ipa02 res.hdr(Location) -m sub freeipa02.inside.mydomain.ru
	acl hdr_ipa03 res.hdr(Location) -m sub freeipa03.inside.mydomain.ru
#--------------------------------------------------------------------------
#Depending on which host the response comes from, we edit the Set-Cookie and Location headers. If we do not edit the Location header we will encounter the following problem: when a user clicks on the freeipa.mydomain.ru link he will be redirected to one of the hosts: freeipa0x.inside.mydomain.ru (this is an important point, omitted in all the manuals we consulted).
	http-response replace-header Set-Cookie ^Domain=freeipa01\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa01
	http-response replace-value Location ^https?://freeipa01\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa01
	http-response replace-header Set-Cookie ^Domain=freeipa02\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa02
	http-response replace-value Location ^https?://freeipa02\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa02
	http-response replace-header Set-Cookie ^Domain=freeipa03\.inside\.mydomain\.ru(.*) Domain=freeipa\.mydomain\.ru\1 if hdr_ipa03
	http-response replace-value Location ^https?://freeipa03\.inside\.mydomain\.ru(.*)$ https://freeipa\.mydomain\.ru\1 if hdr_ipa03
#--------------------------------------------------------------------------
#Here we put our FreeIPA hosts
	server ipa01 freeipa01.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa01 weight 9 ssl verify none
	server ipa02 freeipa02.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa02 weight 1 ssl verify none
	server ipa03 freeipa03.inside.mydomain.ru:443 check port 443 inter 5s rise 2 fall 5 cookie ipa03 weight 3 ssl verify none
#check port 443 - check if the host is alive on port 443.
#inter 5s - check availability at 5 second intervals. 
#rise 2 fall 5 - if 2 checks say that the host is unavailable, it will be excluded from balancing and returned after 5 successful checks.
#cookie ipa0x - specifies which cookie will be added as the SERVERID insert cookie.
#ssl verify none - SSL certificate termination, ignoring errors.
#weight 3 - specifies load balancing priority.

There is also the possibility of encountering an annoying authorization window in Chrome, Edge, IE and some other browsers.

The appearance of this window is described in this bug report, which contains a solution to the problem, but with HAProxy you can solve the problem without changing the host configuration. To do that, we add the following line to the backend section of the configuration file:

http-response del-header www-authenticate

It will remove the header responsible for the intrusive window.

Conclusion

HOSTKEY always supports the initiative of its employees, which has a positive effect on the customer experience and development of the company. Not only do we help our specialists to develop and make a career (which again is beneficial for us as the employer), but we also get useful solutions for our customers, as well as interesting entries for the company blog. We hope that this solution will come in handy for our readers.

Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

Other articles

20.06.2022

Multithreaded encoding: Pay twice as much or go for built-in?

Will we be able to multiply the performance with a professional video card, which costs twice as much? Let's check it out.

03.06.2022

How to choose a web hosting service

To choose the best hosting solution for your needs, you should assess several parameters: availability, reliability and service security, as well as the quality of support.

03.06.2022

NVIDIA A5500: real power or just a facelift

Testing the new NVIDIA RTX5500 professional GPU card for tasks related to encoding, machine learning, rendering.

22.05.2022

Integrating FreeIPA with Active Directory

We're going to tell you how we integrated FreeIPA with Active Directory to manage office computers with Windows and Cisco Systems equipment.

22.05.2022

Apache Guacamole and its interaction with the API: the real case of using oVirt

We're going to tell you how to remotely control Dell equipment using the VNC console built into DRAC.

HOSTKEY Dedicated servers and cloud solutions Pre-configured and custom dedicated servers. AMD, Intel, GPU cards, Free DDoS protection amd 1Gbps unmetered port 30
4.3 67 67
Upload