Re: [Freeipa-users] how to make fIPA stick to only...
On 05/07/16 18:20, Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. FTR, I think this is mostly controlled in ipa-rewrite.conf. If the requested host is not the IPA host or the port is not 443 or the request is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui This file should have enough comments to figure out what part is doing what if you wanted to tweak it. I have to agree with Alexander though. Running multiple services on what should be the core of your infrastructure isn't recommended. rob I know chaps, yes, safety is when paranoia next to it, together does look like normal wording, I understand. yes, that I think is the config and seems that to control this behaviour is that one rewrite rule. However, you must also realize that fIPA admins rarely do install on a separate, dedicated boxes, instead I believe these are "heavy, bulky" and fast and multi-role/connected systems. So having an easy way to control fIPA webui config as an option(if not as default) is great, and it seems it's there. thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
Alexander Bokovoy wrote: On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. FTR, I think this is mostly controlled in ipa-rewrite.conf. If the requested host is not the IPA host or the port is not 443 or the request is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui This file should have enough comments to figure out what part is doing what if you wanted to tweak it. I have to agree with Alexander though. Running multiple services on what should be the core of your infrastructure isn't recommended. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 1.7.2016 16:29, lejeczek wrote: > > > On 01/07/16 12:41, Petr Vobornik wrote: >> On 06/30/2016 04:56 PM, lejeczek wrote: >>> ... its own FQHN and its IP ? >>> >>> hi users, >>> >>> I'm fiddling with rewrites but being an amateur cannot figure it out, >>> it's on a multi/home-IP box. Is it possible? >>> >>> many thanks, >>> >>> L. >>> >> Hi L. >> >> Could you describe your environment and use case in more details. It is >> not clear to me what you are trying to achieve or what doesn't work for you. >> >> Thank you > gee, I though my scenario would be quite common among users, > take a box with more then one net ifs, or even multiple IPs - what would be > nice to have is fIPA webui resides/runs only on that FQHN and that IP to which > hostname resolves. Eg, here is one single system: > box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) > ipa.my.dom.local 10.10.1.2 > currently I get fIPA's webui everywhere, but I'd like it to be only at > ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) > I think it would be great to have included (maybe as comments/options) this in > Apache's configs of IPA furure releases, if possible. > Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 06/30/2016 04:56 PM, lejeczek wrote: > ... its own FQHN and its IP ? > > hi users, > > I'm fiddling with rewrites but being an amateur cannot figure it out, > it's on a multi/home-IP box. Is it possible? > > many thanks, > > L. > Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to make fIPA stick to only...
... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
