<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 05/04/2015 12:32 PM, Tomas Babej
wrote:<br>
</div>
<blockquote cite="mid:55474ABC.8010506@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 04/27/2015 06:06 PM, David
Dimovski wrote:<br>
</div>
<blockquote
cite="mid:OF9F55F909.AC1AC4FA-ONC1257E34.00574BA3-C1257E34.00587210@biotronik.com"
type="cite"><font face="sans-serif" size="2">Hi Folks,</font> <br>
<font face="sans-serif" size="2">does somebody have a best
practice, how to access the IPA Web-UI with different domain
names?</font> <br>
<br>
<font face="sans-serif" size="2">Example:</font> <br>
<font face="sans-serif" size="2">Our IPA 4.1 have two different
IPs (extern and intern) with two domain names. The web gui is
only accessible from the domain name, which IPA was registered
with (intern domain name). When trying to access with the
extern domain name, IPA is rewriting to the intern domain
name.</font> <br>
<br>
<font face="sans-serif" size="2">After disabling the rewriting,
the web ui is accessible from the two domain names, but the
login is not possible from the extern domain name (only intern
domain name), getting the following error:</font> <br>
<font face="sans-serif" size="2">Logout session expired.</font>
<br>
<br>
<font face="sans-serif" size="2">Does sombody has a idea or a
clue?</font> <br>
<br>
<font face="sans-serif" size="2">Many thanks in advance!</font>
<br>
<br>
<font face="sans-serif" size="2">Best regards</font> <br>
<font face="sans-serif" size="2">David<br>
<br>
</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hi,<br>
<br>
one possible solution would be to setup a reverse proxy with the
external domain name, which would be passing the requests from the
external world to the internal IPA sever.<br>
<br>
However, the proxy would need to circumvent our XSS protection and
rewrite the HTTP_REFERRER header to the internal hostname.<br>
<br>
I haven't tested it, so maybe additional issues would come up.<br>
<br>
Tomas<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
For the record, Alexander pointed out that this would not work well,
as connections passed by the proxy to the internal IPA instance
would be encrypted using the external's server HTTP service ticket.<br>
<br>
A proper solution here would be to create an IPA replica with the
external hostname.<br>
<br>
Tomas<br>
</body>
</html>