[Freeipa-users] IPA Web UI behind proxy
Benjamen Keroack
benjamen at dollarshaveclub.com
Fri Apr 24 18:45:23 UTC 2015
Hi,
Does anybody have any experience putting the IPA web UI behind a reverse
proxy? In an attempt to allow our users to access the UI without browser
warnings and without having to add the root CA certificate to their trusted
store (there was some resistance to that idea), I set up an nginx server as
a simple reverse proxy.
Every request returns an "Unable to verify your Kerberos credentials" error
page. The headers returned:
$ http -h GET https://proxy/ipa
HTTP/1.1 401 Unauthorized
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 1474
Content-Type: text/html; charset=UTF-8
Date: Fri, 24 Apr 2015 18:43:06 GMT
Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
Server: nginx/1.4.6 (Ubuntu)
WWW-Authenticate: Negotiate
I saw this thread from 2013:
https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065
I'm sending the proper Host and Referer headers by the proxy as specified,
and I modified the Apache rewriting rules to not redirect to the hostname
of the backend IPA server.
Any ideas how this can be done?
Thanks,
--
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benjamen at dollarshaveclub.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150424/65f4f2fe/attachment.htm>
More information about the Freeipa-users
mailing list