On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:

"The URI uses the virtual directory /KdcProxy unless otherwise


Also, the proxy should be available over both HTTP and HTTPS.

Easy-peasy! I'm using /KdcProxy already and the default configuration
allows HTTP and HTTPS requests.

Just make sure it works with the IPA might https rewrite rule:

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$$
RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*)      https://$FQDN/ipa/$$1 [L,R=301,NC]

I prefer enabled by default unless there is some performance or
security consideration. Mere proxying isn't a security consideration
since we already expose the KDC by default.

My latest patch enables the proxy by default.

This is, indeed, a security problem. Do we have a strong use case for
per-replica control? If not, let's just do a single global control
since we can easily make this globally readable.

Martin and Petr both suggested per-replica configuration of the new
feature. Petr has argued it is a future-proof design. It will make
containerization of FreeIPA simpler as no schema change is required later.

I discussed this briefly with Nathaniel, if this is sufficiently easy/doable, I am fine with it. If not, then adding the global control may be the way for FreeIPA 4.2 GA and implement the per-replica control later.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to