Kerberos and Apache reverse proxy

Dmitri Pal dpal at redhat.com
Fri Jul 13 21:24:59 EDT 2018


I am sorry I missed the proxy aspect in you original mail.

But proxy with Kerberos in general is not a simple thing to do and should
be avoided.
Some hints on how to deal with proxy if you want Kerberos to work can be
found here.
https://ssimo.org/blog/id_019.html
I am not sure whether they are applicable to your situation or not.

The user service ticket needs to get to your actual wiki and it should
match the wiki service principal and key in the keytab.
If proxy gets in the way you will have issues.

What you can do is try KDC proxy instead of the reverse proxy.
https://github.com/latchset/kdcproxy/blob/master/README

Dmitri

On Fri, Jul 13, 2018 at 9:13 PM, Jaap Winius <jwinius at umrk.nl> wrote:

>
> Quoting Dmitri Pal <dpal at redhat.com>:
>
> You can use an older package called mod_auth_kerb.
>> It is not recommended as mod_auth_gssapi much better but if you distro
>> does
>> not have it you might not have a choice.
>>
>
> Sorry, but I neglected to say that I already had libapache2-mod-auth-kerb
> installed on both servers; it's what I've been using for some time to
> support Kerberos authentication for directly connected users. But, I guess
> that package is just not good enough for the proxy configuration that I
> have in mind.
>
> Cheers,
>
> Jaap
>
>


-- 

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.


More information about the Kerberos mailing list