Open harvey103565 opened 2 days ago
On what URL do you attempt to access that SSL ingress gateway? Is it possible that the last paragraph from https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
In this example we have set up the proxy with the same hostname as the FreeIPA server. If the proxy needs to use different hostname, approach from FreeIPA behind HTTP proxy with different hostname can be used.
applies to your situation and you need to also configure proper rewrite of the hostnames and cookies?
OH.. I forgot the cookies.
As per described in FreeIPA behind HTTP proxy with different hostname. Just added new line into my configuration. /etc/http/conf.d/ipa-httprp.conf
. It looks now:
Listen 80
<VirtualHost *:80>
ErrorLog "logs/rp_error_log"
<Location "/">
Require all granted
# # RequestHeader set Origin "https://ipa-0.freeipa.idm.svc.cluster.local"
RequestHeader edit Referer "https://ipa.cdyhamc.com/ipa/ui/" "https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/"
# ADDING THIS LINE
ProxyPassReverseCookieDomain ipa-0.freeipa.idm.svc.cluster.local ipa.company.top
</Location>
ProxyPass / http://ipa-0.freeipa.idm.svc.cluster.local:8086/
ProxyPassReverse / http://ipa-0.freeipa.idm.svc.cluster.local:8086/
</VirtualHost>
But still not working. Good news is that I do see cookie in httpd: logs/errror_log
, bad one is that we did not see cookie from browser: Edge/Chrome/Firefox... , There is even no set-cookie header in freeipa response header. "ipa.company.top" is the domain name used to access the gateway.
[Wed Oct 09 14:22:44.971546 2024] [lookup_identity:debug] [pid 15231:tid 15247] mod_lookup_identity.c(445): [client 10.0.0.164:37402] invoked for user admin@IDM.SVC.CLUSTER.LOCAL, referer: https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/ [Wed Oct 09 14:22:44.971589 2024] [core:debug] [pid 15231:tid 15247] util_cookies.c(58): [client 10.0.0.164:37402] AH00007: ap_cookie: user 'admin@IDM.SVC.CLUSTER.LOCAL' set cookie: 'ipa_session=MagBearerToken=5uOiLo4uUPcWlnJxawClUr2AOTa1xBeIuHWwUa5rtv5hnDf3ZEei6k%2bt7Oofbq4pud7avT10t6ZKFsXVvT0eTt6BlZNrx%2bfnTZiakVGlFKy7HxmLbON5ubBPLICc%2fJh2DP94pfqrDeenqG5QGdE4yuyR2LmCzLOGgRsON6M1nVkaS3390WmyBwZhP5nvNYqDwu%2fVx4t2%2fJpN7iXq6WhQHkaPIDYPAP%2fljZq2ihkFNvk%3d;path=/ipa;httponly;secure;', referer: https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/ [Wed Oct 09 14:22:44.973508 2024] [wsgi:error] [pid 15071:tid 15216] [remote 10.0.0.164:37430] ipa: INFO: 401 Unauthorized: No session cookie found
If from the point of view of the FreeIPA server its "self" URL is http://ipa-0.freeipa.idm.svc.cluster.local:8086/
, why do you have that https://ipa-0.freeipa.idm.svc.cluster.local/
in RequestHeader set Origin
, RequestHeader set Referer
, and RequestHeader edit Referer
? BTW, that ipa.cdyhamc.com
should likely be changed to ipa.company.top
as well.
There is even no set-cookie header in freeipa response header
Where do you observe that response? In browser's Developer Tools' Network traffic, or with tcpdump
somewhere along the line?
BTW, that
ipa.cdyhamc.com
should likely be changed toipa.company.top
as well.
This is a typo while editing reply, Not a error in my conf.
Where do you observe that response? In browser's Developer Tools' Network traffic, or with
tcpdump
somewhere along the line?
Browser's Developer Tools' Network traffic.
I also tried to finger out how to print complet http package forwarded via httpd-mod-proxy, which is create with <VirtuaHost *:80>
, but not work.
FreeIPA server its "self" URL is
http://ipa-0.freeipa.idm.svc.cluster.local:8086/
Made a test with configuration, set Origin
header is not necessary, edit Referer
has been changed to ipa-0.freeipa.idm.svc.cluster.local:8086. Then web loading process stuck at POST https://ipa.company.top/ipa/i18n_messages
, server reply error with response code 200. (see attached pic below)
Listen 80
<VirtualHost *:80>
ErrorLog "logs/rp_error_log"
<Location "/">
Require all granted
RequestHeader edit Referer "https://ipa.company.top/ipa/ui/" "https://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/"
ProxyPassReverseCookieDomain ipa-0.freeipa.idm.svc.cluster.local ipa.company.top
</Location>
ProxyPass / http://ipa-0.freeipa.idm.svc.cluster.local:8086/
ProxyPassReverse / http://ipa-0.freeipa.idm.svc.cluster.local:8086/
</VirtualHost>
server response body:
result: null error: Object: code: 911 message "Missing or invalid HTTP Referer, https://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/" data: Object referer: "https://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/" name:"RefererError" id: null principal:"UNKNOWN" version "4.11.0"
Also tried adding #port 8086 to ProxyPassReverseCookieDomain
, still not work. I got this from httpd - logs/error_log
, and do not see the HOST field in 'set-cookie'. Could this be the reason?
[Thu Oct 10 01:36:48.930203 2024] [core:debug] [pid 16257:tid 16344] util_cookies.c(58): [client 10.0.0.164:57034] AH00007: ap_cookie: user 'admin@IDM.SVC.CLUSTER.LOCAL' set cookie: 'ipa_session=MagBearerToken=%2fO8fKmHAYXNgReugWwvZBHOSFE%2fYX35qe4zNUqOlnw7Gz4lEvHJeujWClpU%2f2Vk3K2o7u5%2bQWn8N88ZgaR0li0CRYhE1FSfHg%2fHTidk5bAxaVWjioW5mdJJPcgMzSqhWPNAS%2bd6Mafa9TJ6jOV4kxMHNkDzDTKSoTNh4631WkM%2bGylY8ruS2o0J1Ufce1mlvVhfSRDHSvhWff6docpjyiMwHX2HtbO%2fMLxGm1decyy8%3d;path=/ipa;httponly;secure;'
You have https://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/
in that RequestHeader edit Referer
. Should that really be https
?
You have
https://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/
in thatRequestHeader edit Referer
. Should that really behttps
Actually, browser access gateway via https://ipa.company.top/ipa/ui/
. Since tls is terminated at gateway, so gateway connect to mod_proxy viahttp://ipa.company.top/ipa/ui/
. ProxyPass
& RequestHeader edit
happens here. Then the header & url that proxy send to ipa-web service changes into http://ipa-0.freeipa.idm.svc.cluster.local:8086/ipa/ui/
.
Freeipa reject access if I set RequestHeader
to http://
, the web become totally not accessable. I guess it is because freeipa server ask for mandatory https access.
On the FreeIPA server side, the important thing is for the protocol://host:port part of the referrer header to be the same as the URL of the current request, that's what FreeIPA code checks, IIRC. So you cannot just mix'n'match http and https.
As for
Freeipa reject access if I set RequestHeader to http://, the web become totally not accessable. I guess it is because freeipa server ask for mandatory https access.
-- yes, that's what the FreeIPA configuration does by default and that's why in FreeIPA behind SSL proxy we comment out (among others) that
RewriteCond %{SERVER_PORT} !^443$
line which does that enforcement.
Now those documents are over eight years old, so it is well possible that something else somewhere else is at play and needs to be configured on top of what we list there. But the principles still stand.
I did some test which protocol://host:port
parts are guaranteed to be consistent with the source.
https://
.https://
.Now my configuration file looks:
Listen 8086
<VirtualHost *:8086>
ErrorLog "logs/rp_log"
<Location "/">
Require all granted
RequestHeader edit Referer "https://ipa.company.top/ipa/ui/" "https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/"
ProxyPassReverseCookieDomain ipa-0.freeipa.idm.svc.cluster.local ipa.company.top
</Location>
SSLProxyEngine on
ProxyPass / https://ipa-0.freeipa.idm.svc.cluster.local/
ProxyPassReverse / https://ipa-0.freeipa.idm.svc.cluster.local/
</VirtualHost>
This time web ui complain 'Your session has expired.'
However krb5kdc.log
shows that ticket should be issued very recently.
Oct 10 11:48:51 ipa-0 krb5kdc200: TGS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.0.0.164: ISSUE: authtime 1728560931, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, admin@IDM.SVC.CLUSTER.LOCAL for HTTP/ipa-0.freeipa.idm.svc.cluster.local@IDM.SVC.CLUSTER.LOCAL
error_log
has something new
... [Thu Oct 10 11:48:51.648298 2024] [core:debug] [pid 17700:tid 17799] util_cookies.c(58): [client 10.0.0.164:53812] AH00007: ap_cookie: user 'admin@IDM.SVC.CLUSTER.LOCAL' set cookie: 'ipa_session=MagBearerToken=7IKJEojnZ1KIlKYyuqiSK8CuzWBXgEgkAuDN0pgemsqkwSO5WjA%2fuaNexsC%2fiqv8LgnFZ%2bTZXexySfHsNuoEWK%2fsyst4fFjf5YaR0JlJqACEzIerMZ%2biyVs1%2ffcw9M3yQETXQrmixwvhJ637oYqjIZz9oJSww5coRXofhMcqgsgSsNc2jYmUf68RBh9%2bs7nF7esQ5XUPsApILbA8wfCVgpm1cAaEe%2fUIGW2r4jjp%2bQU%3d;path=/ipa;httponly;secure;' [Thu Oct 10 11:48:51.764623 2024] [auth_gssapi:error] [pid 17700:tid 17781] [client 10.0.0.164:57744] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer: https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/ [Thu Oct 10 11:48:51.875705 2024] [auth_gssapi:error] [pid 17700:tid 17784] [client 10.0.0.164:57744] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)], referer: https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/
Everything good in rp_log
for every connection
... [Thu Oct 10 11:48:51.844084 2024] [proxy:debug] [pid 17700:tid 17788] proxy_util.c(2866): [client 127.0.0.6:56299] AH00947: connected /ipa/session/loginkerberos?=1728560222437 to ipa-0.freeipa.idm.svc.cluster.local:443, referer: https://ipa-0.freeipa.idm.svc.cluster.local/ipa/ui/ [Thu Oct 10 11:48:51.844105 2024] [proxy:trace2] [pid 17700:tid 17788] proxy_util.c(3149): https: reusing backend connection 10.0.0.164:57744<>10.0.0.164:443 [Thu Oct 10 11:48:51.876140 2024] [proxy:debug] [pid 17700:tid 17788] proxy_util.c(2591): AH00943: https: has released connection for (ipa-0.freeipa.idm.svc.cluster.local:443)
Does that mean I've made one step forward? Because, from Browser F12 tool, there is still no cookies / ipa_sessions set int response headers. And freeipa response to the login request is
Unable to verify your Kerberos credentials Please make sure that you have valid Kerberos tickets (obtainable via kinit), and that you have configured your browser correctly.
Thank you.
It is not completely clear to me where in the setup that mod_proxy on port 8086 is located.
But anyway, if the Set-Cookie
HTTP response headers don't reach the browser, I would really be looking at the Istio configuration, to see if the Ingress Gateway may be stripping them off. Or test while bypassing it by creating some tunnel to reach the idm:web
Service directly.
I managed to deploy FreeIPA service on Kubernetes. For now it's only a clean installation for verification purposes. However, there is a weired issue, that I googled but with no luck.
FreeIPA web don't permit login and httpd error log shows:
Not sure if this is the right place to ask for help, please let me know which module to investigate.
Deploy info FreeIPA container, which is managed by k8s statefulset controller, was started with:
ipa-server-install -U --domain="idm.svc.cluster.local" --realm="IDM.SVC.CLUSTER.LOCAL" --ds-password="${DM_PASSWORD}" --admin-password="${ADMIN_PASSWORD}" --no-ntp --setup-dns --forwarder="10.0.255.68"
. replica:1
headless service:freeipa
namespace:idm
container hostname -f:ipa-0.freeipa.idm.svc.cluster.local
Exposed k8s service
# kubectl get svc -n idm web
:web ClusterIP 10.0.255.159 <none> 80/TCP,443/TCP 17d app=freeipa
As tls terminated at ingress gateway, which is istio service, I have to make istio connect to backend freeipa-service
web
at port80
, following freeipa howtos: FreeIPA behind SSL proxy, but omit the self ssl part. Istio already has proper certificate to terminate tls. New configuration file/etc/httpd/conf.d/ipa-httprp.conf
is created as:note: I changed httpd default listening port to 8086
And I also made some changes to
/etc/httpd/conf.d/ipa-rewrite.conf
to disable https redirect, new content as:Logs & diagnose tool outputs:
For new virtualhost act as reverse proxy, Everything in logs/rp_error_log seems good.
/var/log/httpd/error_log:
/var/log/krb5kdc.log:
# ipa-pkinit-manage status
# klist
# ipa -v ping
# httpd logs with
ipa -v ping``# ipa -vv pwpolicy-show global_policy
# httpd logs with
# ipa -vv pwpolicy-show global_policy``About 'failed to set perms (3140)' in logs , Here I found disscussions,And seems not a issues. freeipa-container issue #282 fedora #7032