Thanks for all the info. I think I sorted out the rewrite rules now, and
the error I get is "Secure Connection Failed.
SSL_ERROR_UNRECOGNIZED_NAME_ALERT".

I'm going to try and google this, since I'm assuming I need a ServerAlias
somewhere. If someone knows the correct way, please let me know :)

-Harry

On 13 July 2016 at 08:11, Rob Crittenden <rcrit...@redhat.com> wrote:

> Harry Kashouli wrote:
>
>> I tried uncommenting everything in the ipa-rewrite.conf file, but it
>> still changed the web address. I'll try clearing the cache, in case that
>> was still remembering the links.
>>
>> I may be attacking my original thought badly, if this is going to be bad
>> for security. I'm wanting to allow users to change their passwords
>> remotely, so I figured giving them public access to the Web UI was the
>> way to go. Is there a better solution?
>>
>
> Moving back to list.
>
> Getting the rewrite rules right can be tricky sometimes. You might have an
> easier time using a proxy instead. Exposing the UI increases the attack
> surface area so as usual it's a balance of security and convenience that
> you need to assess.
>
> A community portal was started last summer but has largely stalled. This
> is the long-term plan for what you're looking for. The design and a pointer
> to the current code is at https://www.freeipa.org/page/V4/Community_Portal
>
> rob
>
>
>> -Harry
>>
>> On 11 July 2016 at 19:56, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>     Harry Kashouli wrote:
>>
>>         Hi all,
>>
>>         I have a freeipa server set up, and would like to access the Web
>> UI
>>         remotely (from outside my home network).
>>
>>         I set up a fresh Fedora 24 server install, and installed
>>         freeipa-server.
>>            - I own a domain, domain.com <http://domain.com>
>>         <http://domain.com>
>>            - The hostname of my freeipa server is
>>         hostname.subdomain.domain.com <
>> http://hostname.subdomain.domain.com>
>>         <http://hostname.subdomain.domain.com>
>>            - My home network domain is subdomain.domain.com
>>         <http://subdomain.domain.com>
>>         <http://subdomain.domain.com>
>>
>>         I set up a CNAME hostname.domain.com
>>         <http://hostname.domain.com> <http://hostname.domain.com> and
>>         port forwardings, and I tested this works with nginx on the same
>>         machine; I can successfully see the nginx test page.
>>         I then assumed I could do the same with the freeipa Web UI, but
>>         when I
>>         navigate to http://hostname.domain.com:<external_port>, it
>>         switches to
>>         https://hostname.subdomain.domain.com:<internal_port>, and with
>> the
>>         following error: "Server not found"
>>
>>         What am I doing wrong?
>>
>>
>>     Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
>>     to the real name of the IPA server when it was installed. You can
>>     try tweaking this to allow both names, or to just not do the
>> rewriting.
>>
>>     You may have issues with Kerberos and SSL due to using a different
>> name.
>>
>>     You definitely don't want to use IPA over an unsecure channel.
>>
>>     rob
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to