1 files changed, 34 insertions, 2 deletions

diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index b80c5c57f..30a7655a6 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -1,8 +1,8 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
-Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+# Require kerberos authentication for the entire server
 
-<Directory "/usr/share/ipa/ipaserver">
+<LocationMatch />
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
@@ -13,6 +13,37 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
   KrbSaveCredentials on
   Require valid-user
   ErrorDocument 401 /errors/unauthorized.html
+</LocationMatch>
+
+ProxyRequests Off
+
+<Proxy *>
+  RewriteEngine on
+  Order deny,allow
+  Allow from all
+
+  # We create a subrequest to find REMOTE_USER. Don't do this for every
+  # subrequest too (slow and huge logs result)
+  RewriteCond %{IS_SUBREQ}% false
+  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
+  RequestHeader set X-Forwarded-User %{RU}e
+
+  # RequestHeader unset Authorization
+</Proxy>
+
+# The URI's with a trailing ! are those that aren't handled by the proxy
+ProxyPass /errors/ !
+ProxyPass /ipa !
+ProxyPass / http://localhost:8080/
+ProxyPassReverse /errors !
+ProxyPassReverse /ipa !
+ProxyPassReverse / http://localhost:8080/
+
+# Configure the XML-RPC service
+
+Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+
+<Directory "/usr/share/ipa/ipaserver">
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
@@ -22,3 +53,4 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
   # this is pointless to use since it would just reload ipaxmlrpc.py
   PythonAutoReload Off
 </Directory>
+