Last active
April 8, 2022 07:57
-
-
Save m4ce/4cfd0fc4eccecc5d627ff0cdd15b10de to your computer and use it in GitHub Desktop.
FreeIPA behind HAProxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend ft_ipa | |
| mode http | |
| bind <IP>:80 | |
| bind <IP>:443 ssl crt /etc/haproxy/ssl/ipa.example.org.cert.pem | |
| redirect scheme https if !{ ssl_fc } | |
| use_backend bk_ipa | |
| backend bk_ipa | |
| mode http | |
| balance roundrobin | |
| server lt_ipa_1 localhost:8080 check | |
| server lt_ipa_2 localhost:8081 check backup | |
| listen lt_ipa_1 | |
| mode http | |
| bind localhost:8080 | |
| http-request redirect location /ipa/ui if { path_reg ^/$ } | |
| http-request set-header Referer https://ipa1.example.org/ipa/ | |
| acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa.example.org | |
| rspirep ^(Set-Cookie:.*)\ Domain=ipa1.example.org(.*) \1\ Domain=ipa.example.org\2 | |
| server ipa ipa1.example:80 check | |
| listen lt_ipa_2 | |
| mode http | |
| bind localhost:8081 | |
| http-request redirect location /ipa/ui if { path_reg ^/$ } | |
| http-request set-header Referer https://ipa2.example.org/ipa/ | |
| acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= ipa.example.org | |
| rspirep ^(Set-Cookie:.*)\ Domain=ipa2.example.org(.*) \1\ Domain=ipa.example.org\2 | |
| server ipa ipa2.example.org:80 check |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # VERSION 6 - DO NOT REMOVE THIS LINE | |
| RewriteEngine on | |
| # By default forward all requests to /ipa. If you don't want IPA | |
| # to be the default on your web server comment this line out. | |
| RewriteRule ^/$ /ipa/ui [L,NC,R=301] | |
| # Redirect to the fully-qualified hostname. Not redirecting to secure | |
| # port so configuration files can be retrieved without requiring SSL. | |
| #RewriteCond %{HTTP_HOST} !^ipa1.example.org$ [NC] | |
| #RewriteRule ^/ipa/(.*) http://ipa1.example.org/ipa/$1 [L,R=301] | |
| # Redirect to the secure port if not displaying an error or retrieving | |
| # configuration. | |
| #RewriteCond %{SERVER_PORT} !^443$ | |
| #RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl) | |
| #RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$ | |
| #RewriteRule ^/ipa/(.*) https://ipa1.example.org/ipa/$1 [L,R=301,NC] | |
| # Rewrite for plugin index, make it like it's a static file | |
| RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment