Hi Fraser, I actually attempted that procedure ( https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) but it completely broke my IPA install. I could no longer log in with any users including admin, enrollment/client auth broke, etc. Unfortunately I couldn't find any way to roll back to the self-signed CA cert so I ended up having to do a full re-provision and reinstall.
Needless to say, I'm a bit reticent to try that again. On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > > Hi, > > > > Does anybody have any experience putting the IPA web UI behind a reverse > > proxy? In an attempt to allow our users to access the UI without browser > > warnings and without having to add the root CA certificate to their > trusted > > store (there was some resistance to that idea), I set up an nginx server > as > > a simple reverse proxy. > > > > Every request returns an "Unable to verify your Kerberos credentials" > error > > page. The headers returned: > > > > $ http -h GET https://proxy/ipa > > HTTP/1.1 401 Unauthorized > > Accept-Ranges: bytes > > Connection: keep-alive > > Content-Length: 1474 > > Content-Type: text/html; charset=UTF-8 > > Date: Fri, 24 Apr 2015 18:43:06 GMT > > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > > Server: nginx/1.4.6 (Ubuntu) > > WWW-Authenticate: Negotiate > > > > I saw this thread from 2013: > > > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > > > I'm sending the proper Host and Referer headers by the proxy as > specified, > > and I modified the Apache rewriting rules to not redirect to the hostname > > of the backend IPA server. > > > > Any ideas how this can be done? > > > Hi Benjamen, > > You could use a 3rd-party certificate (signed by trusted, public CA) > for the Web UI; see the guide: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > If you decide to continue with the Web UI behind a reverse proxy, > Simo recent blogged about Kerberos authentication issues with this > sort of setup; you may find inspiration here: > https://ssimo.org/blog/id_019.html > > Cheers, > Fraser > > > Thanks, > > > > -- > > Benjamen Keroack > > *Infrastructure/DevOps Engineer* > > benja...@dollarshaveclub.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project