[Freeipa-users] IPA Server UI Behind Proxy
Petr Vobornik
pvoborni at redhat.com
Wed Aug 14 10:35:53 UTC 2013
On 08/14/2013 10:36 AM, Andrew Lau wrote:
> Any suggestions or workaround, short of having to switch the IPA's hostname
> to use a public domain?
IDK if anyone did that, but you can try to change the header by the proxy.
You should change it only for the request with referer:
'https://ipa.externaldomain.com/ipa' to keep to original logic [1] in place.
That means the proxy will work as man-in-the-middle and should have
access to certificate for the external domain. Also, external users
should not use FreeIPA browser configuration pages because of the
different domain.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=747710
>
> Andrew
>
>
> On Wed, Aug 14, 2013 at 5:36 PM, Petr Vobornik <pvoborni at redhat.com> wrote:
>
>> On 08/14/2013 08:00 AM, Andrew Lau wrote:
>>
>>> Hi,
>>>
>>> I've got my FreeIPA setup in an internal infrastructure, but I want to be
>>> able to have users access the web UI externally. I tweaked the
>>> ipa-rewrite.conf so it won't redirect me to the FQDN and then tried both a
>>> nginx reverse proxy and port forwarding, both works if the client manually
>>> sets the host name of the IPA server eg. ipa01.internaldomain.local in
>>> their /etc/hosts file. However if the client tries to to use eg.
>>> ipa.externaldomain.com with the same port forwarding or nginx proxy
>>> config,
>>> it'll silently error. The docs briefly touches on this - but doesn't
>>> really
>>> give much to go on.
>>>
>>> Any suggestions?
>>>
>>> Andrew
>>> .
>>>
>>> Hi,
>>
>> FreeIPA RPC API, which Web UI uses, requires http referer header to start
>> with 'https://<ipa.server.hostname>**/ipa'. Given that you are using
>> proxy, I assume that the referer is different and might be a cause of the
>> issue.
>>
>> HTH
>> --
>> Petr Vobornik
>>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list