[Freeipa-users] Access to IPA Web-UI with different domain names
Tomas Babej
tbabej at redhat.com
Mon May 4 11:09:32 UTC 2015
On 05/04/2015 12:32 PM, Tomas Babej wrote:
>
>
> On 04/27/2015 06:06 PM, David Dimovski wrote:
>> Hi Folks,
>> does somebody have a best practice, how to access the IPA Web-UI with
>> different domain names?
>>
>> Example:
>> Our IPA 4.1 have two different IPs (extern and intern) with two
>> domain names. The web gui is only accessible from the domain name,
>> which IPA was registered with (intern domain name). When trying to
>> access with the extern domain name, IPA is rewriting to the intern
>> domain name.
>>
>> After disabling the rewriting, the web ui is accessible from the two
>> domain names, but the login is not possible from the extern domain
>> name (only intern domain name), getting the following error:
>> Logout session expired.
>>
>> Does sombody has a idea or a clue?
>>
>> Many thanks in advance!
>>
>> Best regards
>> David
>>
>>
>>
> Hi,
>
> one possible solution would be to setup a reverse proxy with the
> external domain name, which would be passing the requests from the
> external world to the internal IPA sever.
>
> However, the proxy would need to circumvent our XSS protection and
> rewrite the HTTP_REFERRER header to the internal hostname.
>
> I haven't tested it, so maybe additional issues would come up.
>
> Tomas
>
>
For the record, Alexander pointed out that this would not work well, as
connections passed by the proxy to the internal IPA instance would be
encrypted using the external's server HTTP service ticket.
A proper solution here would be to create an IPA replica with the
external hostname.
Tomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150504/8be3e990/attachment.htm>
More information about the Freeipa-users
mailing list