Harry Kashouli wrote:
I tried uncommenting everything in the ipa-rewrite.conf file, but it
still changed the web address. I'll try clearing the cache, in case that
was still remembering the links.

I may be attacking my original thought badly, if this is going to be bad
for security. I'm wanting to allow users to change their passwords
remotely, so I figured giving them public access to the Web UI was the
way to go. Is there a better solution?

Moving back to list.

Getting the rewrite rules right can be tricky sometimes. You might have an easier time using a proxy instead. Exposing the UI increases the attack surface area so as usual it's a balance of security and convenience that you need to assess.

A community portal was started last summer but has largely stalled. This is the long-term plan for what you're looking for. The design and a pointer to the current code is at https://www.freeipa.org/page/V4/Community_Portal



On 11 July 2016 at 19:56, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Harry Kashouli wrote:

        Hi all,

        I have a freeipa server set up, and would like to access the Web UI
        remotely (from outside my home network).

        I set up a fresh Fedora 24 server install, and installed
           - I own a domain, domain.com <http://domain.com>
           - The hostname of my freeipa server is
        hostname.subdomain.domain.com <http://hostname.subdomain.domain.com>
           - My home network domain is subdomain.domain.com

        I set up a CNAME hostname.domain.com
        <http://hostname.domain.com> <http://hostname.domain.com> and
        port forwardings, and I tested this works with nginx on the same
        machine; I can successfully see the nginx test page.
        I then assumed I could do the same with the freeipa Web UI, but
        when I
        navigate to http://hostname.domain.com:<external_port>, it
        switches to
        https://hostname.subdomain.domain.com:<internal_port>, and with the
        following error: "Server not found"

        What am I doing wrong?

    Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
    to the real name of the IPA server when it was installed. You can
    try tweaking this to allow both names, or to just not do the rewriting.

    You may have issues with Kerberos and SSL due to using a different name.

    You definitely don't want to use IPA over an unsecure channel.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to