Re: [Freeipa-users] IPA Web UI behind proxy
Hi Fraser, I actually attempted that procedure ( https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) but it completely broke my IPA install. I could no longer log in with any users including admin, enrollment/client auth broke, etc. Unfortunately I couldn't find any way to roll back to the self-signed CA cert so I ended up having to do a full re-provision and reinstall. Needless to say, I'm a bit reticent to try that again. On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale wrote: > On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > > Hi, > > > > Does anybody have any experience putting the IPA web UI behind a reverse > > proxy? In an attempt to allow our users to access the UI without browser > > warnings and without having to add the root CA certificate to their > trusted > > store (there was some resistance to that idea), I set up an nginx server > as > > a simple reverse proxy. > > > > Every request returns an "Unable to verify your Kerberos credentials" > error > > page. The headers returned: > > > > $ http -h GET https://proxy/ipa > > HTTP/1.1 401 Unauthorized > > Accept-Ranges: bytes > > Connection: keep-alive > > Content-Length: 1474 > > Content-Type: text/html; charset=UTF-8 > > Date: Fri, 24 Apr 2015 18:43:06 GMT > > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > > Server: nginx/1.4.6 (Ubuntu) > > WWW-Authenticate: Negotiate > > > > I saw this thread from 2013: > > > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > > > I'm sending the proper Host and Referer headers by the proxy as > specified, > > and I modified the Apache rewriting rules to not redirect to the hostname > > of the backend IPA server. > > > > Any ideas how this can be done? > > > Hi Benjamen, > > You could use a 3rd-party certificate (signed by trusted, public CA) > for the Web UI; see the guide: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > If you decide to continue with the Web UI behind a reverse proxy, > Simo recent blogged about Kerberos authentication issues with this > sort of setup; you may find inspiration here: > https://ssimo.org/blog/id_019.html > > Cheers, > Fraser > > > Thanks, > > > > -- > > Benjamen Keroack > > *Infrastructure/DevOps Engineer* > > benja...@dollarshaveclub.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Web UI behind proxy
On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > Hi, > > Does anybody have any experience putting the IPA web UI behind a reverse > proxy? In an attempt to allow our users to access the UI without browser > warnings and without having to add the root CA certificate to their trusted > store (there was some resistance to that idea), I set up an nginx server as > a simple reverse proxy. > > Every request returns an "Unable to verify your Kerberos credentials" error > page. The headers returned: > > $ http -h GET https://proxy/ipa > HTTP/1.1 401 Unauthorized > Accept-Ranges: bytes > Connection: keep-alive > Content-Length: 1474 > Content-Type: text/html; charset=UTF-8 > Date: Fri, 24 Apr 2015 18:43:06 GMT > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > Server: nginx/1.4.6 (Ubuntu) > WWW-Authenticate: Negotiate > > I saw this thread from 2013: > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > I'm sending the proper Host and Referer headers by the proxy as specified, > and I modified the Apache rewriting rules to not redirect to the hostname > of the backend IPA server. > > Any ideas how this can be done? > Hi Benjamen, You could use a 3rd-party certificate (signed by trusted, public CA) for the Web UI; see the guide: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP If you decide to continue with the Web UI behind a reverse proxy, Simo recent blogged about Kerberos authentication issues with this sort of setup; you may find inspiration here: https://ssimo.org/blog/id_019.html Cheers, Fraser > Thanks, > > -- > Benjamen Keroack > *Infrastructure/DevOps Engineer* > benja...@dollarshaveclub.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Web UI behind proxy
Hi, Does anybody have any experience putting the IPA web UI behind a reverse proxy? In an attempt to allow our users to access the UI without browser warnings and without having to add the root CA certificate to their trusted store (there was some resistance to that idea), I set up an nginx server as a simple reverse proxy. Every request returns an "Unable to verify your Kerberos credentials" error page. The headers returned: $ http -h GET https://proxy/ipa HTTP/1.1 401 Unauthorized Accept-Ranges: bytes Connection: keep-alive Content-Length: 1474 Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Apr 2015 18:43:06 GMT Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT Server: nginx/1.4.6 (Ubuntu) WWW-Authenticate: Negotiate I saw this thread from 2013: https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 I'm sending the proper Host and Referer headers by the proxy as specified, and I modified the Apache rewriting rules to not redirect to the hostname of the backend IPA server. Any ideas how this can be done? Thanks, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project