On 08/15/2013 04:02 PM, Jan Pazdziora wrote:
On Wed, Aug 14, 2013 at 09:36:42AM +0200, Petr Vobornik wrote:
On 08/14/2013 08:00 AM, Andrew Lau wrote:
Hi,
I've got my FreeIPA setup in an internal infrastructure, but I want to be
able to have users access the web UI externally. I tweaked the
ipa-rewrite.conf so it won't redirect me to the FQDN and then tried both a
nginx reverse proxy and port forwarding, both works if the client manually
sets the host name of the IPA server eg. ipa01.internaldomain.local in
their /etc/hosts file. However if the client tries to to use eg.
ipa.externaldomain.com with the same port forwarding or nginx proxy config,
it'll silently error. The docs briefly touches on this - but doesn't really
give much to go on.
FreeIPA RPC API, which Web UI uses, requires http referer header to
start with 'https://<ipa.server.hostname>/ipa'. Given that you are
using proxy, I assume that the referer is different and might be a
cause of the issue.
Moving to freeipa-devel -- how hard would it be to add support for
aliases -- alternate hostnames that the API would also understand as
valid?
Probably easy -- a new attribute for ipaGuiConfig, some code to check
that in rpcserver.py, and tests.
Alternatively, how essential is this requirement for the referer
header -- couldn't it be dropped, maybe via some config option?
Without it, a malicious link/button on any webpage (or e-mail) could do
any action in IPA, if clicked by a logged-in admin.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
