[Freeipa-users] Web UI access from outside the home network via port forwarding
Harry Kashouli
kashmancy at gmail.com
Wed Jul 13 22:02:47 UTC 2016
Thanks for all the info. I think I sorted out the rewrite rules now, and
the error I get is "Secure Connection Failed.
SSL_ERROR_UNRECOGNIZED_NAME_ALERT".
I'm going to try and google this, since I'm assuming I need a ServerAlias
somewhere. If someone knows the correct way, please let me know :)
-Harry
On 13 July 2016 at 08:11, Rob Crittenden <rcritten at redhat.com> wrote:
> Harry Kashouli wrote:
>
>> I tried uncommenting everything in the ipa-rewrite.conf file, but it
>> still changed the web address. I'll try clearing the cache, in case that
>> was still remembering the links.
>>
>> I may be attacking my original thought badly, if this is going to be bad
>> for security. I'm wanting to allow users to change their passwords
>> remotely, so I figured giving them public access to the Web UI was the
>> way to go. Is there a better solution?
>>
>
> Moving back to list.
>
> Getting the rewrite rules right can be tricky sometimes. You might have an
> easier time using a proxy instead. Exposing the UI increases the attack
> surface area so as usual it's a balance of security and convenience that
> you need to assess.
>
> A community portal was started last summer but has largely stalled. This
> is the long-term plan for what you're looking for. The design and a pointer
> to the current code is at https://www.freeipa.org/page/V4/Community_Portal
>
> rob
>
>
>> -Harry
>>
>> On 11 July 2016 at 19:56, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Harry Kashouli wrote:
>>
>> Hi all,
>>
>> I have a freeipa server set up, and would like to access the Web
>> UI
>> remotely (from outside my home network).
>>
>> I set up a fresh Fedora 24 server install, and installed
>> freeipa-server.
>> - I own a domain, domain.com <http://domain.com>
>> <http://domain.com>
>> - The hostname of my freeipa server is
>> hostname.subdomain.domain.com <
>> http://hostname.subdomain.domain.com>
>> <http://hostname.subdomain.domain.com>
>> - My home network domain is subdomain.domain.com
>> <http://subdomain.domain.com>
>> <http://subdomain.domain.com>
>>
>> I set up a CNAME hostname.domain.com
>> <http://hostname.domain.com> <http://hostname.domain.com> and
>> port forwardings, and I tested this works with nginx on the same
>> machine; I can successfully see the nginx test page.
>> I then assumed I could do the same with the freeipa Web UI, but
>> when I
>> navigate to http://hostname.domain.com:<external_port>, it
>> switches to
>> https://hostname.subdomain.domain.com:<internal_port>, and with
>> the
>> following error: "Server not found"
>>
>> What am I doing wrong?
>>
>>
>> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
>> to the real name of the IPA server when it was installed. You can
>> try tweaking this to allow both names, or to just not do the
>> rewriting.
>>
>> You may have issues with Kerberos and SSL due to using a different
>> name.
>>
>> You definitely don't want to use IPA over an unsecure channel.
>>
>> rob
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160713/f92f5f5b/attachment.htm>
More information about the Freeipa-users
mailing list