On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote: > On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: > > On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > > > I am not saying “instead of”. We are using standard authetication > > > provided by FreeIPA, but I want to protect Web UI interface from unwanted > > > attention as it is, unfortunately, exposed to entire internet. I’d be > > > much happier if Apache could reject (or redirect) any client which is not > > > presenting required certificate even before any authentication attempt is > > > started. > > > That is not to say that the whole server is exposed, but 443 port is. > > > > > Thanks for explaining. > > Maybe I'm missing something in this thread, but couldn't the OP simply > put a reverse proxy in front of the Internet-exposed port? > What you are missing: the client tools do not support certificate authentication (yet). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"
Fraser Tweedale via FreeIPA-users Tue, 30 May 2017 16:31:09 -0700
- [Freeipa-users] ipa command breaks by ... Ivars Strazdiņš via FreeIPA-users
- [Freeipa-users] Re: ipa command b... Alexander Bokovoy via FreeIPA-users
- [Freeipa-users] Re: ipa comma... Fraser Tweedale via FreeIPA-users
- [Freeipa-users] Re: ipa c... Ivars Strazdiņš via FreeIPA-users
- [Freeipa-users] Re: i... Fraser Tweedale via FreeIPA-users
- [Freeipa-users] ... Ian Pilcher via FreeIPA-users
- [Freeipa-use... Fraser Tweedale via FreeIPA-users
- [Freeipa... Ian Pilcher via FreeIPA-users
- [Freeipa-use... Ivars Strazdiņš via FreeIPA-users