I actually attempted that procedure (
it completely broke my IPA install. I could no longer log in with any users
including admin, enrollment/client auth broke, etc. Unfortunately I
couldn't find any way to roll back to the self-signed CA cert so I ended up
having to do a full re-provision and reinstall.
Needless to say, I'm a bit reticent to try that again.
On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale <ftwee...@redhat.com>
> On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote:
> > Hi,
> > Does anybody have any experience putting the IPA web UI behind a reverse
> > proxy? In an attempt to allow our users to access the UI without browser
> > warnings and without having to add the root CA certificate to their
> > store (there was some resistance to that idea), I set up an nginx server
> > a simple reverse proxy.
> > Every request returns an "Unable to verify your Kerberos credentials"
> > page. The headers returned:
> > $ http -h GET https://proxy/ipa
> > HTTP/1.1 401 Unauthorized
> > Accept-Ranges: bytes
> > Connection: keep-alive
> > Content-Length: 1474
> > Content-Type: text/html; charset=UTF-8
> > Date: Fri, 24 Apr 2015 18:43:06 GMT
> > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT
> > Server: nginx/1.4.6 (Ubuntu)
> > WWW-Authenticate: Negotiate
> > I saw this thread from 2013:
> > I'm sending the proper Host and Referer headers by the proxy as
> > and I modified the Apache rewriting rules to not redirect to the hostname
> > of the backend IPA server.
> > Any ideas how this can be done?
> Hi Benjamen,
> You could use a 3rd-party certificate (signed by trusted, public CA)
> for the Web UI; see the guide:
> If you decide to continue with the Web UI behind a reverse proxy,
> Simo recent blogged about Kerberos authentication issues with this
> sort of setup; you may find inspiration here:
> > Thanks,
> > --
> > Benjamen Keroack
> > *Infrastructure/DevOps Engineer*
> > benja...@dollarshaveclub.com
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project