[Freeipa-users] IPA Web UI behind proxy
Fraser Tweedale
ftweedal at redhat.com
Mon Apr 27 00:32:06 UTC 2015
On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote:
> Hi,
>
> Does anybody have any experience putting the IPA web UI behind a reverse
> proxy? In an attempt to allow our users to access the UI without browser
> warnings and without having to add the root CA certificate to their trusted
> store (there was some resistance to that idea), I set up an nginx server as
> a simple reverse proxy.
>
> Every request returns an "Unable to verify your Kerberos credentials" error
> page. The headers returned:
>
> $ http -h GET https://proxy/ipa
> HTTP/1.1 401 Unauthorized
> Accept-Ranges: bytes
> Connection: keep-alive
> Content-Length: 1474
> Content-Type: text/html; charset=UTF-8
> Date: Fri, 24 Apr 2015 18:43:06 GMT
> Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
> Server: nginx/1.4.6 (Ubuntu)
> WWW-Authenticate: Negotiate
>
> I saw this thread from 2013:
> https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065
>
> I'm sending the proper Host and Referer headers by the proxy as specified,
> and I modified the Apache rewriting rules to not redirect to the hostname
> of the backend IPA server.
>
> Any ideas how this can be done?
>
Hi Benjamen,
You could use a 3rd-party certificate (signed by trusted, public CA)
for the Web UI; see the guide:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
If you decide to continue with the Web UI behind a reverse proxy,
Simo recent blogged about Kerberos authentication issues with this
sort of setup; you may find inspiration here:
https://ssimo.org/blog/id_019.html
Cheers,
Fraser
> Thanks,
>
> --
> Benjamen Keroack
> *Infrastructure/DevOps Engineer*
> benjamen at dollarshaveclub.com
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list