[Freeipa-devel] IPA Server UI Behind Proxy
Rob Crittenden
rcritten at redhat.com
Thu Aug 15 14:23:56 UTC 2013
Jan Pazdziora wrote:
> On Wed, Aug 14, 2013 at 09:36:42AM +0200, Petr Vobornik wrote:
>> On 08/14/2013 08:00 AM, Andrew Lau wrote:
>>> Hi,
>>>
>>> I've got my FreeIPA setup in an internal infrastructure, but I want to be
>>> able to have users access the web UI externally. I tweaked the
>>> ipa-rewrite.conf so it won't redirect me to the FQDN and then tried both a
>>> nginx reverse proxy and port forwarding, both works if the client manually
>>> sets the host name of the IPA server eg. ipa01.internaldomain.local in
>>> their /etc/hosts file. However if the client tries to to use eg.
>>> ipa.externaldomain.com with the same port forwarding or nginx proxy config,
>>> it'll silently error. The docs briefly touches on this - but doesn't really
>>> give much to go on.
>>
>> FreeIPA RPC API, which Web UI uses, requires http referer header to
>> start with 'https://<ipa.server.hostname>/ipa'. Given that you are
>> using proxy, I assume that the referer is different and might be a
>> cause of the issue.
>
> Moving to freeipa-devel -- how hard would it be to add support for
> aliases -- alternate hostnames that the API would also understand as
> valid?
>
> Alternatively, how essential is this requirement for the referer
> header -- couldn't it be dropped, maybe via some config option?
It is there to prevent CSRF attacks. I think making this configurable
would work, I just wonder how many people would need to tune that knob.
rob
More information about the Freeipa-devel
mailing list