[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI
Jan Pazdziora
jpazdziora at redhat.com
Fri Jun 3 20:42:59 UTC 2016
On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote:
>
> My problem is:
> I have an ipa.example.com server on the internal network, with
> self-signed certificates.
> I'd like to be able to connect to the UI from the internet, using
> https with other certificates (e.g. let's encrypt certificates).
>
> So I tried to setup an SNI apache reverse proxy, but I could not make it work.
> I saw this blog
> [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can
> not use the same FQDN name for the LAN and the WAN.
>
> I tried many many things, I could have the login form, but never could
> not connect. What is the correct way of doing this ?
If the hostname of the proxy and the FreeIPA server differ, you will
likely need some additional configuration on the proxy, to make sure
cookies produced by the FreeIPA server are used by the browser for
the subsequent HTTP requests, and also to make the Referer header
match FreeIPA's expectations. Something like
ProxyPassReverseCookieDomain ipa.example.com ipa.public.company.com
RequestHeader edit Referer ^https://ipa\.public\.company\.com/ https://ipa.example.com/
Note that you will not be able to use SSO (Kerberos) authentication
for the accesses via the ipa.public.company.com proxy but I assume
that's not needed.
Hope this helps. I will likely do another writeup about this setup.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list