10

I'm trying to implement a reverse proxy in our system, for a micro-services architecture.

The proxy server is HAProxy that works with SSL Termination and needs to proxy requests to a backend server with Https and Kerberos authentication. I succeeded to terminate the ssl on the proxy server and pass the request to the https server (I need the termination in order to route requests by their body, to specific backend services) , but failing to authenticate with kerberos on the backend server.

Is it possible to implement Kerberos auth on the proxy server and then pass the TGT to the different backend services?

Itay Gabbay
  • 113
  • 1
  • 9
  • Unfortunately I am also searching for a way to implement/active kerberos authentication on HAproxy. I have learned that the proper way to do Kerberos auth in a Loadbalancer Environment would be quite simple. Just Authenticate against the Loadbalancer, and create a custom headerwith the authusername for the backend application. With this approach you dont have to maintain a keytab on every backend host but keep them on the frontend LB. No I just need to figure out a way to do this with HAproxy. I'd know how to do that with Apache and nginx, but they don't seem to fit our Loadbalancing needs. – Daywalker May 04 '21 at 06:19

1 Answers1

0

I have successfully done this and it took some work.

At the time I was using HDP so I used ambari to setup a hive server on the HAproxy node. (This was done solely for the purpose of having Ambari manage the kerberos principle. The hive server itself never ran)

Then I merged the keytab for my hive server (on the proxy) with my Hive server keytabs so that the principle could be used on the hive servers. I think I also allowed it as a principle to work with hive. I'm sure there is another path that would allow you to use delegation but this was the past of least resistance and made it so hive managed mostly managed the keytab. I did have to re-merge the keytab when they where regenerated but it wasn't as bad as manually managing keytabs.

Matt Andruff
  • 4,974
  • 1
  • 5
  • 21