Does anybody have any experience putting the IPA web UI behind a reverse
proxy? In an attempt to allow our users to access the UI without browser
warnings and without having to add the root CA certificate to their trusted
store (there was some resistance to that idea), I set up an nginx server as
a simple reverse proxy.

Every request returns an "Unable to verify your Kerberos credentials" error
page. The headers returned:

$ http -h GET https://proxy/ipa
HTTP/1.1 401 Unauthorized
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 1474
Content-Type: text/html; charset=UTF-8
Date: Fri, 24 Apr 2015 18:43:06 GMT
Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
Server: nginx/1.4.6 (Ubuntu)
WWW-Authenticate: Negotiate

I saw this thread from 2013:

I'm sending the proper Host and Referer headers by the proxy as specified,
and I modified the Apache rewriting rules to not redirect to the hostname
of the backend IPA server.

Any ideas how this can be done?


Benjamen Keroack
*Infrastructure/DevOps Engineer*
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to