FreeIPA behind SSL proxy

Jan Pazdziora



When SSL connections to FreeIPA server need to be terminated on some other machine like front-end SSL load balancing proxy, FreeIPA's Apache configuration needs to be tweaked to avoid infinite redirects. We look at the setup, as well as at ways of using another Apache HTTP server with mod_ssl for the proxy.

Front-end proxy

Assume we have FreeIPA server installed and configured and we want to be able to access its WebUI via HTTPS while having that HTTPS traffic terminated on different machine.

For testing purposes, let's use other Fedora machine for that front-end proxy:

proxy# dnf install -y httpd mod_ssl

By default, the mod_ssl package during installation generates self-signed SSL certificate into /etc/pki/tls/certs/localhost.crt. We need to replace it with the certificate Server-Cert from the NSS database /etc/httpd/alias that the FreeIPA server is using. On the FreeIPA server, we will export it from the NSS database, and we will copy it to the proxy machine:

ipa# certutil -L -d /etc/httpd/alias -a -n Server-Cert > /etc/pki/tls/certs/freeipa.crt
ipa# pk12util -n Server-Cert -d /etc/httpd/alias \
	-k /etc/httpd/alias/pwdfile.txt -w /etc/httpd/alias/pwdfile.txt \
	-o /dev/stdout \
    | openssl pkcs12 -nocerts -passin file:/etc/httpd/alias/pwdfile.txt -nodes > /etc/pki/tls/private/freeipa.key

proxy# scp /etc/pki/tls/certs/localhost.crt
proxy# scp /etc/pki/tls/private/localhost.key

In addition, we need to instruct the Apache server on the front-end proxy machine to forward everything from port 443 to the real FreeIPA server. In /etc/httpd/conf.d/ssl.conf we add proxy directives to the default HTTPS virtual host:

<VirtualHost _default_:443>
# ...
# add the following directives
ProxyPass /
ProxyPassReverse /

And we restart the Apache server on the proxy:

proxy# systemctl restart httpd

We need to make sure that connections from our client go to the proxy machine and not to the FreeIPA server directly. In production this might be handled by the network layer or DNS settings, for testing we can tweak /etc/hosts on the client to override FreeIPA server's IP address with proxy's IP address:

HTTP traffic in FreeIPA

When we now access with our browser and provided it lands on the proxy, it will cause HTTP connection made from the proxy to the FreeIPA server.

However, due to request rewrites in FreeIPA's /etc/httpd/conf.d/ipa-rewrite.conf, Apache HTTP server which will see incoming HTTP (not HTTPS) request will issue 301 redirect to the same location, with https:// scheme. The browser will receive the redirect response and repeat exactly the same request because after all, from browser's point of view it just did a https:// request, leading to infinite loop.

Luckily, the solution is actually simple ― we will disable that redirect in FreeIPA server's configuration:

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
# RewriteCond %{SERVER_PORT}  !^443$
# RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
# RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
# RewriteRule ^/ipa/(.*)$1 [L,R=301,NC]

Now the traffic which reaches the the FreeIPA server on port 80 using HTTP from the front-end proxy will get handled. Since from the point of view of the browser we still use HTTPS, that protocol will be used in Referer HTTP headers that FreeIPA WebUI checks, so authentication and other operations still work.

Setup with different hostname

In this example we have set up the proxy with the same hostname as the FreeIPA server. If the proxy needs to use different hostname, approach from FreeIPA behind HTTP proxy with different hostname can be used.