[Freeipa-users] Web UI access from outside the home network via port forwarding

Wed Jul 13 15:11:21 UTC 2016

Harry Kashouli wrote:
> I tried uncommenting everything in the ipa-rewrite.conf file, but it
> still changed the web address. I'll try clearing the cache, in case that
> was still remembering the links.
>
> I may be attacking my original thought badly, if this is going to be bad
> for security. I'm wanting to allow users to change their passwords
> remotely, so I figured giving them public access to the Web UI was the
> way to go. Is there a better solution?

Moving back to list.

Getting the rewrite rules right can be tricky sometimes. You might have 
an easier time using a proxy instead. Exposing the UI increases the 
attack surface area so as usual it's a balance of security and 
convenience that you need to assess.

A community portal was started last summer but has largely stalled. This 
is the long-term plan for what you're looking for. The design and a 
pointer to the current code is at 
https://www.freeipa.org/page/V4/Community_Portal

rob

>
> -Harry
>
> On 11 July 2016 at 19:56, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Harry Kashouli wrote:
>
>         Hi all,
>
>         I have a freeipa server set up, and would like to access the Web UI
>         remotely (from outside my home network).
>
>         I set up a fresh Fedora 24 server install, and installed
>         freeipa-server.
>            - I own a domain, domain.com <http://domain.com>
>         <http://domain.com>
>            - The hostname of my freeipa server is
>         hostname.subdomain.domain.com <http://hostname.subdomain.domain.com>
>         <http://hostname.subdomain.domain.com>
>            - My home network domain is subdomain.domain.com
>         <http://subdomain.domain.com>
>         <http://subdomain.domain.com>
>
>         I set up a CNAME hostname.domain.com
>         <http://hostname.domain.com> <http://hostname.domain.com> and
>         port forwardings, and I tested this works with nginx on the same
>         machine; I can successfully see the nginx test page.
>         I then assumed I could do the same with the freeipa Web UI, but
>         when I
>         navigate to http://hostname.domain.com:<external_port>, it
>         switches to
>         https://hostname.subdomain.domain.com:<internal_port>, and with the
>         following error: "Server not found"
>
>         What am I doing wrong?
>
>
>     Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
>     to the real name of the IPA server when it was installed. You can
>     try tweaking this to allow both names, or to just not do the rewriting.
>
>     You may have issues with Kerberos and SSL due to using a different name.
>
>     You definitely don't want to use IPA over an unsecure channel.
>
>     rob
>
>