#7665 Would like to use aliases or load balanced addresses to access the IPA API
Opened 8 months ago by abiagion. Modified 8 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1602087

Description of problem:  We would like to use aliases or load balanced
addresses to access the IPA API, but when we do so there is always an error
about the http referrer. It's not ideal for us to hard code single point of
failure servers into our code, so we are looking for a workaround.

    Error when attempting to use API with "ipa.x.example.com"
    Traceback (most recent call last):
     File "/n/tech/python/tech/pdtsys/unix/generate_k5logins.py", line 19, in
    <module>
       prodid_group = ipa.group_show('production_id')
     File "/n/tech/python/tech/pdtsys/unix/ipa.py", line 106, in group_show
       raise err

    RuntimeError: Missing or invalid HTTP Referer,


Version-Release number of selected component (if applicable): RHEL 7.5


How reproducible: Attempt to access the IPA API using an alias or F5


Actual results: Error: Missing or invalid HTTP Referer


Expected results: Successful access to the API


Additional info: From mailing list: using multiple frontends for IPA API is not
supported yet. Disabling HTTP_REFERER will cause numerous security
issues.

I have https://github.com/abbra/freeipa/pull/9 which is a work in
progress to add ability to manually configure list of aliases. However,
it requires changes to the core of IPA framework and there was no
priority for it for about a year.

Metadata Update from @abiagion:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1602087

8 months ago

Login to comment on this ticket.

Metadata