Thanks for all the info. I think I sorted out the rewrite rules now, and the error I get is "Secure Connection Failed. SSL_ERROR_UNRECOGNIZED_NAME_ALERT".
I'm going to try and google this, since I'm assuming I need a ServerAlias somewhere. If someone knows the correct way, please let me know :) -Harry On 13 July 2016 at 08:11, Rob Crittenden <rcrit...@redhat.com> wrote: > Harry Kashouli wrote: > >> I tried uncommenting everything in the ipa-rewrite.conf file, but it >> still changed the web address. I'll try clearing the cache, in case that >> was still remembering the links. >> >> I may be attacking my original thought badly, if this is going to be bad >> for security. I'm wanting to allow users to change their passwords >> remotely, so I figured giving them public access to the Web UI was the >> way to go. Is there a better solution? >> > > Moving back to list. > > Getting the rewrite rules right can be tricky sometimes. You might have an > easier time using a proxy instead. Exposing the UI increases the attack > surface area so as usual it's a balance of security and convenience that > you need to assess. > > A community portal was started last summer but has largely stalled. This > is the long-term plan for what you're looking for. The design and a pointer > to the current code is at https://www.freeipa.org/page/V4/Community_Portal > > rob > > >> -Harry >> >> On 11 July 2016 at 19:56, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Harry Kashouli wrote: >> >> Hi all, >> >> I have a freeipa server set up, and would like to access the Web >> UI >> remotely (from outside my home network). >> >> I set up a fresh Fedora 24 server install, and installed >> freeipa-server. >> - I own a domain, domain.com <http://domain.com> >> <http://domain.com> >> - The hostname of my freeipa server is >> hostname.subdomain.domain.com < >> http://hostname.subdomain.domain.com> >> <http://hostname.subdomain.domain.com> >> - My home network domain is subdomain.domain.com >> <http://subdomain.domain.com> >> <http://subdomain.domain.com> >> >> I set up a CNAME hostname.domain.com >> <http://hostname.domain.com> <http://hostname.domain.com> and >> port forwardings, and I tested this works with nginx on the same >> machine; I can successfully see the nginx test page. >> I then assumed I could do the same with the freeipa Web UI, but >> when I >> navigate to http://hostname.domain.com:<external_port>, it >> switches to >> https://hostname.subdomain.domain.com:<internal_port>, and with >> the >> following error: "Server not found" >> >> What am I doing wrong? >> >> >> Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting >> to the real name of the IPA server when it was installed. You can >> try tweaking this to allow both names, or to just not do the >> rewriting. >> >> You may have issues with Kerberos and SSL due to using a different >> name. >> >> You definitely don't want to use IPA over an unsecure channel. >> >> rob >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project