On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote:
> Hi,
> 
> Does anybody have any experience putting the IPA web UI behind a reverse
> proxy? In an attempt to allow our users to access the UI without browser
> warnings and without having to add the root CA certificate to their trusted
> store (there was some resistance to that idea), I set up an nginx server as
> a simple reverse proxy.
> 
> Every request returns an "Unable to verify your Kerberos credentials" error
> page. The headers returned:
> 
> $ http -h GET https://proxy/ipa
> HTTP/1.1 401 Unauthorized
> Accept-Ranges: bytes
> Connection: keep-alive
> Content-Length: 1474
> Content-Type: text/html; charset=UTF-8
> Date: Fri, 24 Apr 2015 18:43:06 GMT
> Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
> Server: nginx/1.4.6 (Ubuntu)
> WWW-Authenticate: Negotiate
> 
> I saw this thread from 2013:
> https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065
> 
> I'm sending the proper Host and Referer headers by the proxy as specified,
> and I modified the Apache rewriting rules to not redirect to the hostname
> of the backend IPA server.
> 
> Any ideas how this can be done?
> 
Hi Benjamen,

You could use a 3rd-party certificate (signed by trusted, public CA)
for the Web UI; see the guide:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

If you decide to continue with the Web UI behind a reverse proxy,
Simo recent blogged about Kerberos authentication issues with this
sort of setup; you may find inspiration here:
https://ssimo.org/blog/id_019.html

Cheers,
Fraser

> Thanks,
> 
> -- 
> Benjamen Keroack
> *Infrastructure/DevOps Engineer*
> benja...@dollarshaveclub.com

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to