Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1602087
Description of problem: We would like to use aliases or load balanced
addresses to access the IPA API, but when we do so there is always an error
about the http referrer. It's not ideal for us to hard code single point of
failure servers into our code, so we are looking for a workaround.
Error when attempting to use API with "ipa.x.example.com"
Traceback (most recent call last):
File "/n/tech/python/tech/pdtsys/unix/generate_k5logins.py", line 19, in
prodid_group = ipa.group_show('production_id')
File "/n/tech/python/tech/pdtsys/unix/ipa.py", line 106, in group_show
RuntimeError: Missing or invalid HTTP Referer,
Version-Release number of selected component (if applicable): RHEL 7.5
How reproducible: Attempt to access the IPA API using an alias or F5
Actual results: Error: Missing or invalid HTTP Referer
Expected results: Successful access to the API
Additional info: From mailing list: using multiple frontends for IPA API is not
supported yet. Disabling HTTP_REFERER will cause numerous security
I have https://github.com/abbra/freeipa/pull/9 which is a work in
progress to add ability to manually configure list of aliases. However,
it requires changes to the core of IPA framework and there was no
priority for it for about a year.
Metadata Update from @abiagion:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1602087
to comment on this ticket.