[Freeipa-users] Web UI access from outside the home network via port forwarding
Rob Crittenden
rcritten at redhat.com
Wed Jul 13 15:11:21 UTC 2016
Harry Kashouli wrote:
> I tried uncommenting everything in the ipa-rewrite.conf file, but it
> still changed the web address. I'll try clearing the cache, in case that
> was still remembering the links.
>
> I may be attacking my original thought badly, if this is going to be bad
> for security. I'm wanting to allow users to change their passwords
> remotely, so I figured giving them public access to the Web UI was the
> way to go. Is there a better solution?
Moving back to list.
Getting the rewrite rules right can be tricky sometimes. You might have
an easier time using a proxy instead. Exposing the UI increases the
attack surface area so as usual it's a balance of security and
convenience that you need to assess.
A community portal was started last summer but has largely stalled. This
is the long-term plan for what you're looking for. The design and a
pointer to the current code is at
https://www.freeipa.org/page/V4/Community_Portal
rob
>
> -Harry
>
> On 11 July 2016 at 19:56, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Harry Kashouli wrote:
>
> Hi all,
>
> I have a freeipa server set up, and would like to access the Web UI
> remotely (from outside my home network).
>
> I set up a fresh Fedora 24 server install, and installed
> freeipa-server.
> - I own a domain, domain.com <http://domain.com>
> <http://domain.com>
> - The hostname of my freeipa server is
> hostname.subdomain.domain.com <http://hostname.subdomain.domain.com>
> <http://hostname.subdomain.domain.com>
> - My home network domain is subdomain.domain.com
> <http://subdomain.domain.com>
> <http://subdomain.domain.com>
>
> I set up a CNAME hostname.domain.com
> <http://hostname.domain.com> <http://hostname.domain.com> and
> port forwardings, and I tested this works with nginx on the same
> machine; I can successfully see the nginx test page.
> I then assumed I could do the same with the freeipa Web UI, but
> when I
> navigate to http://hostname.domain.com:<external_port>, it
> switches to
> https://hostname.subdomain.domain.com:<internal_port>, and with the
> following error: "Server not found"
>
> What am I doing wrong?
>
>
> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
> to the real name of the IPA server when it was installed. You can
> try tweaking this to allow both names, or to just not do the rewriting.
>
> You may have issues with Kerberos and SSL due to using a different name.
>
> You definitely don't want to use IPA over an unsecure channel.
>
> rob
>
>
More information about the Freeipa-users
mailing list