FreeIPA proxy

gistfile1.txt

nginx conf for proxying the FreeIPA UI. ipa.my.org is the proxy name, realipa.my.org is the master.

server {
  listen 443 ssl;
  server_name ipa.my.org;
  ssl on;
  ssl_certificate /etc/nginx/ssl/ipa.crt;
  ssl_certificate_key /etc/nginx/ssl/ipa.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers AES256+EECDH:AES256+EDH:AES128+EECDH!aNULL;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 24h;

  location / {
    proxy_pass              https://realipa.my.org/;
    proxy_set_header        Host $host;
    proxy_set_header        Referer https://realipa.my.org/ipa/ui;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_cookie_domain     realipa.my.org ipa.my.org;
    proxy_connect_timeout   150;
    proxy_send_timeout      100;
    proxy_read_timeout      100;
    proxy_buffers           4 32k;
    client_max_body_size    200M;
    client_body_buffer_size 512k;
    keepalive_timeout       5;
    add_header              Strict-Transport-Security max-age=63072000;
    add_header              X-Frame-Options DENY;
    add_header              X-Content-Type-Options nosniff;
  }
}


also, /etc/ipa/default.conf on the masters needs to have this xmlrpc_uri setting: 

  xmlrpc_uri=https://ipa.my.org/ipa/xml

and if you want to run the CLI on the master you need to pass in the master URL e.g.: 

ipa -e xmlrpc_uri=https://realipa.my.org/ipa/xml ...

worked perfectly for me! thank you!

I had to adjust the "Host" header value to the "realipa" adress. Everything else worked as expected! Thank you so much!