[Freeipa-users] IPA Web UI behind proxy

Benjamen Keroack benjamen at dollarshaveclub.com
Mon Apr 27 16:45:20 UTC 2015 

Hi Fraser,

I actually attempted that procedure (
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) but
it completely broke my IPA install. I could no longer log in with any users
including admin, enrollment/client auth broke, etc. Unfortunately I
couldn't find any way to roll back to the self-signed CA cert so I ended up
having to do a full re-provision and reinstall.

Needless to say, I'm a bit reticent to try that again.



On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale <ftweedal at redhat.com>
wrote:

> On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote:
> > Hi,
> >
> > Does anybody have any experience putting the IPA web UI behind a reverse
> > proxy? In an attempt to allow our users to access the UI without browser
> > warnings and without having to add the root CA certificate to their
> trusted
> > store (there was some resistance to that idea), I set up an nginx server
> as
> > a simple reverse proxy.
> >
> > Every request returns an "Unable to verify your Kerberos credentials"
> error
> > page. The headers returned:
> >
> > $ http -h GET https://proxy/ipa
> > HTTP/1.1 401 Unauthorized
> > Accept-Ranges: bytes
> > Connection: keep-alive
> > Content-Length: 1474
> > Content-Type: text/html; charset=UTF-8
> > Date: Fri, 24 Apr 2015 18:43:06 GMT
> > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
> > Server: nginx/1.4.6 (Ubuntu)
> > WWW-Authenticate: Negotiate
> >
> > I saw this thread from 2013:
> >
> https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065
> >
> > I'm sending the proper Host and Referer headers by the proxy as
> specified,
> > and I modified the Apache rewriting rules to not redirect to the hostname
> > of the backend IPA server.
> >
> > Any ideas how this can be done?
> >
> Hi Benjamen,
>
> You could use a 3rd-party certificate (signed by trusted, public CA)
> for the Web UI; see the guide:
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> If you decide to continue with the Web UI behind a reverse proxy,
> Simo recent blogged about Kerberos authentication issues with this
> sort of setup; you may find inspiration here:
> https://ssimo.org/blog/id_019.html
>
> Cheers,
> Fraser
>
> > Thanks,
> >
> > --
> > Benjamen Keroack
> > *Infrastructure/DevOps Engineer*
> > benjamen at dollarshaveclub.com
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>


-- 
Benjamen Keroack
*Infrastructure/DevOps Engineer*
benjamen at dollarshaveclub.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150427/b6dd8f35/attachment.htm>

More information about the Freeipa-users mailing list