On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote:
> My problem is:
> I have an ipa.example.com server on the internal network, with
> self-signed certificates.
> I'd like to be able to connect to the UI from the internet, using
> https with other certificates (e.g. let's encrypt certificates).
> So I tried to setup an SNI apache reverse proxy, but I could not make it work.
> I saw this blog
> [https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy] but I can
> not use the same FQDN name for the LAN and the WAN.
> I tried many many things, I could have the login form, but never could
> not connect. What is the correct way of doing this ?

If the hostname of the proxy and the FreeIPA server differ, you will
likely need some additional configuration on the proxy, to make sure
cookies produced by the FreeIPA server are used by the browser for
the subsequent HTTP requests, and also to make the Referer header
match FreeIPA's expectations. Something like

        ProxyPassReverseCookieDomain ipa.example.com ipa.public.company.com
        RequestHeader edit Referer ^https://ipa\.public\.company\.com/ 

Note that you will not be able to use SSO (Kerberos) authentication
for the accesses via the ipa.public.company.com proxy but I assume
that's not needed.

Hope this helps. I will likely do another writeup about this setup.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to