Harry Kashouli wrote:
I tried uncommenting everything in the ipa-rewrite.conf file, but it
still changed the web address. I'll try clearing the cache, in case that
was still remembering the links.
I may be attacking my original thought badly, if this is going to be bad
for security. I'm wanting to allow users to change their passwords
remotely, so I figured giving them public access to the Web UI was the
way to go. Is there a better solution?
Moving back to list.
Getting the rewrite rules right can be tricky sometimes. You might have
an easier time using a proxy instead. Exposing the UI increases the
attack surface area so as usual it's a balance of security and
convenience that you need to assess.
A community portal was started last summer but has largely stalled. This
is the long-term plan for what you're looking for. The design and a
pointer to the current code is at
On 11 July 2016 at 19:56, Rob Crittenden <rcrit...@redhat.com
Harry Kashouli wrote:
I have a freeipa server set up, and would like to access the Web UI
remotely (from outside my home network).
I set up a fresh Fedora 24 server install, and installed
- I own a domain, domain.com <http://domain.com>
- The hostname of my freeipa server is
- My home network domain is subdomain.domain.com
I set up a CNAME hostname.domain.com
<http://hostname.domain.com> <http://hostname.domain.com> and
port forwardings, and I tested this works with nginx on the same
machine; I can successfully see the nginx test page.
I then assumed I could do the same with the freeipa Web UI, but
navigate to http://hostname.domain.com:<external_port>, it
https://hostname.subdomain.domain.com:<internal_port>, and with the
following error: "Server not found"
What am I doing wrong?
Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
to the real name of the IPA server when it was installed. You can
try tweaking this to allow both names, or to just not do the rewriting.
You may have issues with Kerberos and SSL due to using a different name.
You definitely don't want to use IPA over an unsecure channel.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project