[Freeipa-users] how to make fIPA stick to only...

Rob Crittenden rcritten at redhat.com
Tue Jul 5 17:20:51 UTC 2016 

Alexander Bokovoy wrote:
> On Mon, 04 Jul 2016, lejeczek wrote:
>>
>>
>> On 04/07/16 07:59, Petr Spacek wrote:
>>> On 1.7.2016 16:29, lejeczek wrote:
>>>>
>>>> On 01/07/16 12:41, Petr Vobornik wrote:
>>>>> On 06/30/2016 04:56 PM, lejeczek wrote:
>>>>>> ... its own FQHN and its IP ?
>>>>>>
>>>>>> hi users,
>>>>>>
>>>>>> I'm fiddling with rewrites but being an amateur cannot figure it out,
>>>>>> it's on a multi/home-IP box. Is it possible?
>>>>>>
>>>>>> many thanks,
>>>>>>
>>>>>> L.
>>>>>>
>>>>> Hi L.
>>>>>
>>>>> Could you describe your environment and use case in more details.
>>>>> It is
>>>>> not clear to me what you are trying to achieve or what doesn't work
>>>>> for you.
>>>>>
>>>>> Thank you
>>>> gee, I though my scenario would be quite common among users,
>>>> take a box with more then one net ifs, or even multiple IPs - what
>>>> would be
>>>> nice to have is fIPA webui resides/runs only on that FQHN and that
>>>> IP to which
>>>> hostname resolves. Eg, here is one single system:
>>>> box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/)
>>>> ipa.my.dom.local 10.10.1.2
>>>> currently I get fIPA's webui everywhere, but I'd like it to be only at
>>>> ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP)
>>>> I think it would be great to have included (maybe as
>>>> comments/options) this in
>>>> Apache's configs of IPA furure releases, if possible.
>>>> Is it possible to construct such rules? Or there is different,
>>>> simpler way?
>>> I'm still trying to understand your use-case. Why exactly you need to
>>> limit
>>> the web UI to one 'host name' while keeping it on the same box?
>>>
>> I'm sorry I cannot explain this better, I my mind it's really simple,
>> if I installed an instance of IPA on a ipa.my.dom.local and the system
>> is a multi-homed/IP host I'd like webui to run only on that host/IP
>> This should not even be a matter of "image a situation where...." but
>> rather assume that IPA's are deployed on such installations and then -
>> why would fIPA have to monopolize all the IP's/IFs there are?
>> Me, I'd like to be able to use httpd under a root of host's other
>> FQHN/IPs with other things.
> Your IPA masters hold passwords and keys to your company's
> infrastructure. We recommend to avoid sharing the servers used for
> running IPA masters with any other applications because any compromise
> of those applications can and will be used for taking over your
> infrastructure as you have so nicely given the keys to its heart by
> co-sharing the same system.
>
> It is up to you on how you make up your system defense. We as FreeIPA
> upstream developers put considerate effort in ensuring our default setup
> is secure enough to avoid such breaches. If you want to co-locate other
> applications, you need to understand what you are doing and how that
> affects your security. Effectively, you are on your own on this path.
>

FTR, I think this is mostly controlled in ipa-rewrite.conf. If the 
requested host is not the IPA host or the port is not 443 or the request 
is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui

This file should have enough comments to figure out what part is doing 
what if you wanted to tweak it. I have to agree with Alexander though. 
Running multiple services on what should be the core of your 
infrastructure isn't recommended.

rob

More information about the Freeipa-users mailing list