[Freeipa-users] Deploying freeipa behind nginx

Steve Severance steve at altosresearch.com
Mon Feb 3 22:10:43 UTC 2014 

So I understand the mitigation of CSRF attacks. I would like ipa to be able
to handle a specific set of referers. My use case may be less common since
my freeipa instance is handling our server infrastructure not desktops.

I have everything working now. Here is an example nginx server config in
case anyone else needs it:

    server {
        server_name ipa.corp.com;
        listen 443 ssl;
        location / {
                proxy_cookie_domain ldap.corp.com ipa.corp.com;
                proxy_pass https://ldap.corp.com/;
                proxy_set_header Referer https://ldap.corp.com/ipa/ui;
        }
    }

ipa.corp.com would be the external server and ldap.corp.com would be the
internal server.

Thanks for your help.

Steve



On Mon, Feb 3, 2014 at 11:10 AM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Mon, 03 Feb 2014, Steve Severance wrote:
>
>> Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
>> It now appears to authenticate fine when it posts the session but I have a
>> new error.
>>
>> I get an Ipa Error 911 "Missing HTTP referer. <br/> You have to configure
>> your browser to send HTTP referer header." I assume this is because the
>> external name doesn't match the internal name. Is there a way to modify
>> this somewhere?
>>
> You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
> details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
> security errata addressing it.
>
> We are deliberately closing cross-site forgery by enforcing
> HTTP referrer checks.
>
> Your nginx proxy would be a middle man which we are attempting to
> protect against.
>
> Recent discussions on how to allow your use case but still keep the
> security tight can be seen here:
> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
> part of the thread). Discussion stalled since then.
>
>
>
>> Thanks.
>>
>> Steve
>>
>>
>> On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose <sbose at redhat.com> wrote:
>>
>>  On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
>>> > Hi Sumit, That does indeed work. What does that tell us?
>>>
>>> I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
>>> I think it does not help much with your original issue. About
>>> ipa-getkeytab, does it work if you specify the server with the
>>> -s/--server option?
>>>
>>>
>>> bye,
>>> Sumit
>>>
>>> >
>>> > Steve
>>> >
>>> >
>>> > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose <sbose at redhat.com> wrote:
>>> >
>>> > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
>>> > > > Hi Everyone,
>>> > > >
>>> > > > I have deployed freeipa inside our production network. I want to be
>>> able
>>> > > to
>>> > > > access the web ui so I am attempting to add it to our nginx edge
>>> > > machine. I
>>> > > > can pass the requests upstream just fine but I am unable to login
>>> using a
>>> > > > username/password. I have enabled password authentication in the
>>> kerberos
>>> > > > section of the freeipa httpd config file. In the logs it looks like
>>> the
>>> > > > authentication succeeds and a ticket is issued. I assume that the
>>> cookie
>>> > > > that is returned (ipa_session) has the authentication information
>>> in
>>> it.
>>> > > > The subsequent call to get json data fails and I am prompted to
>>> login
>>> > > again.
>>> > > >
>>> > > > I found this thread (
>>> > > >
>>> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
>>> > > > which has instructions on adding ipa.mydomain.com to the keytab.
>>> When I
>>> > > > call ipa-getkeytab it hangs for a bit before returning:
>>> > > ldap_sasl_bind(SIMPLE):
>>> > > > Can't contact LDAP server (-1)
>>> > > >
>>> > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
>>> > > ldap.mydomain.com
>>> > > >
>>> > > > I get:
>>> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>> > > >         additional info: SASL(-4): no mechanism available:
>>> > >
>>> > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
>>> > > GSSAPI ....' ?
>>> > >
>>> > > bye,
>>> > > Sumit
>>> > >
>>> > > >
>>> > > > So we seem to have a SASL problem. If I run ldapsearch with -x
>>> simple
>>> > > > authentication works just fine.
>>> > > >
>>> > > > Do I need to do something special to enable SASL so I can get the
>>> keytab?
>>> > > > The ipa-getkeytab command does not seem to have an option to use
>>> simple
>>> > > > authentication.
>>> > > >
>>> > > > Thanks.
>>> > > >
>>> > > > Steve
>>> > >
>>> > > > _______________________________________________
>>> > > > Freeipa-users mailing list
>>> > > > Freeipa-users at redhat.com
>>> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > >
>>>
>>>
>>
>>
>> --
>> Steve Severance
>> Director of Engineering
>> Altos Research
>>
>> e. steve at altosresearch.com
>> m. (240) 472 - 9645
>>
>
>  _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
> / Alexander Bokovoy
>



-- 
Steve Severance
Director of Engineering
Altos Research

e. steve at altosresearch.com
m. (240) 472 - 9645
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140203/d68dc457/attachment.htm>

More information about the Freeipa-users mailing list