FreeIPA behind HTTP load balancer

Jan Pazdziora



The FreeIPA servers can be run with multiple replicas set up. Administrators and users can use Web user interface of any replica they can reach over the network by specifying hostname of the particular replica in the URL but sometimes it might be useful to provide single URL to the users and let the software fail over between replicas. We will look at the steps that achieve the load balancing setup.

Front-end proxy

In article about FreeIPA behind HTTP proxy with different hostname, we've shown basic proxy configuration plus a couple of additional tweaks to session cookie and referer header handling, making the WebUI of the FreeIPA server accessible on front-end HTTP proxy machine with hostname, different from the real server name.

The resulting configuration we've arrived at could be done fully on the front-end machine:

<VirtualHost _default_:443>
# ...
# add the following directives
SSLProxyEngine on
ProxyPass /
ProxyPassReverse /
RequestHeader edit Referer ^https://webipa\.example\.com/

Proxy balancer

Let's now assume that instead of one FreeIPA server, we have two servers in multi-master replication setup, for example and On the front-end proxy machine, we can configure Apache module mod_proxy_balancer which extends the mod_proxy with load balancing capabilities.

We first define the pseudo-URL balancer://ipa-replicas with two balanced members:

<Proxy balancer://ipa-replicas>
and change the ProxyPass and ProxyPassReverse to point to this pseudo-URL, effectively invoking mod_proxy_balancer:
ProxyPass / balancer://ipa-replicas/
ProxyPassReverse / balancer://ipa-replicas/

We also need to extend the ProxyPassReverseCookieDomain setting to handle cookies coming from either back-end machine:


Determining referer value

All these configuration changes were done in the Apache HTTP Server configuration on the HTTP front-end machine, for example in /etc/httpd/conf.d/ssl.conf. The last one that we need to do is taking care of the referer HTTP request header which the FreeIPA WebUI logic expects to match its own hostname, and here we hit a problem — each FreeIPA server replica will want to see its own hostname in that request header but we cannot put multiple RequestHeader edit directives to the front-end proxy machine. Attempting something like

RequestHeader edit Referer ^https://webipa\.example\.com/
RequestHeader edit Referer ^https://webipa\.example\.com/
would cause the request header value to be rewritten from to no matter whether the balancer picked or At the same time, we do not seem to have a way to determine the worker which will be selected by mod_proxy_balancer to use that hostname as the replacement argument of RequestHeader edit.

The solution is to move this last configuration piece to the individual FreeIPA servers. There, we know what hostname to use, so we will do exactly the one change to the request header value needed. On replica, for example into /etc/httpd/conf.d/ipa-rewrite.conf, we add

RequestHeader edit Referer ^https://webipa\.example\.com/
while on machine, we use
RequestHeader edit Referer ^https://webipa\.example\.com/


After restarting Apache HTTP Server service on all three machines, we can access the FreeIPA server WebUI on the URL and the access will work even if one of the replicas will be down — the HTTP request will be routed to the other back-end replica machine.