Re: [Freeipa-users] freeipa on http?
Going to give this a try today.
Thanks so much for taking the time to work this out.
~J
On 8/24/15 2:01 AM, Jan Pazdziora wrote:
On Thu, Aug 20, 2015 at 02:26:43PM +0200, Jan Pazdziora wrote:
On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote:
Tried that -- but it gives a blank screen. I will try playing with it some
more. At least I know we are thinking in the same ballpark
I was able to set this up just fine with
freeipa-server-4.1.4-4.fc22.x86_64. You need to disable the
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*) https://ipa.example.test/ipa/$1 [L,R=301,NC]
part on the IPA server or you will get infinite redirection loop.
Also you will need to test it through that SSL proxy, not directly
against http://ipa.example.test/, or authentication on the WebUI will
not work -- the session cookie is marked as Secure so the browser will
not store it when it comes via http, plus the UI checks referer to
start with https://.
I've put the notes about the setup I've tried to
http://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
On Thu, Aug 20, 2015 at 02:26:43PM +0200, Jan Pazdziora wrote:
> On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote:
> > Tried that -- but it gives a blank screen. I will try playing with it some
> > more. At least I know we are thinking in the same ballpark
>
> I was able to set this up just fine with
> freeipa-server-4.1.4-4.fc22.x86_64. You need to disable the
>
> # Redirect to the secure port if not displaying an error or retrieving
> # configuration.
> RewriteCond %{SERVER_PORT} !^443$
> RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
> RewriteCond %{REQUEST_URI}
> !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
> RewriteRule ^/ipa/(.*) https://ipa.example.test/ipa/$1 [L,R=301,NC]
>
> part on the IPA server or you will get infinite redirection loop.
>
> Also you will need to test it through that SSL proxy, not directly
> against http://ipa.example.test/, or authentication on the WebUI will
> not work -- the session cookie is marked as Secure so the browser will
> not store it when it comes via http, plus the UI checks referer to
> start with https://.
I've put the notes about the setup I've tried to
http://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
On Tue, Aug 18, 2015 at 02:58:50PM -0700, Janelle wrote:
> Tried that -- but it gives a blank screen. I will try playing with it some
> more. At least I know we are thinking in the same ballpark
I was able to set this up just fine with
freeipa-server-4.1.4-4.fc22.x86_64. You need to disable the
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*) https://ipa.example.test/ipa/$1 [L,R=301,NC]
part on the IPA server or you will get infinite redirection loop.
Also you will need to test it through that SSL proxy, not directly
against http://ipa.example.test/, or authentication on the WebUI will
not work -- the session cookie is marked as Secure so the browser will
not store it when it comes via http, plus the UI checks referer to
start with https://.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
On Tue, 2015-08-18 at 17:44 -0700, Janelle wrote: > Simo, > > I read your blog sometime ago and do like it. However in this case, this > is only for HTTPS, not kerberos, so the names do not have to match. It > is for users managing accounts across any number of hosts. But thank you. There is still the problem of the referer, but should be easy to fix with a rewrite rule. Simo. > ~J > > On 8/18/15 3:02 PM, Simo Sorce wrote: > > On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: > >> The load balancer would have to have the exact same name (for the > >> clients) as the IPA server, which may be challenging depending on the > >> network configuration you have. > > More on that issue here: > > http://ssimo.org/blog/id_019.html > > > >> On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > >>> Tried that -- but it gives a blank screen. I will try playing with it > >>> some more. At least I know we are thinking in the same ballpark > >>> Thank you > >>> ~J > >>> > >>> > >>> On 8/18/15 1:55 PM, Rob Crittenden wrote: > Janelle wrote: > > Hi, > > > > Is there a way to force freeipa web server to accept http requests and > > not redirect to https? Reason is simple - offloading SSL to a load > > balancer on the front end. (this is for web only, not the LDAP or > > Kerberos) > > > > Thank you > > ~J > > > You could try disabling the rewrite rules to do this in > /etc/httpd/conf.d/ipa-rewrite.conf. > > rob > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
Simo, I read your blog sometime ago and do like it. However in this case, this is only for HTTPS, not kerberos, so the names do not have to match. It is for users managing accounts across any number of hosts. But thank you. ~J On 8/18/15 3:02 PM, Simo Sorce wrote: On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: The load balancer would have to have the exact same name (for the clients) as the IPA server, which may be challenging depending on the network configuration you have. More on that issue here: http://ssimo.org/blog/id_019.html On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: Tried that -- but it gives a blank screen. I will try playing with it some more. At least I know we are thinking in the same ballpark Thank you ~J On 8/18/15 1:55 PM, Rob Crittenden wrote: Janelle wrote: Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J You could try disabling the rewrite rules to do this in /etc/httpd/conf.d/ipa-rewrite.conf. rob -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
The load balancer would have to have the exact same name (for the clients) as the IPA server, which may be challenging depending on the network configuration you have. On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > Tried that -- but it gives a blank screen. I will try playing with it > some more. At least I know we are thinking in the same ballpark > Thank you > ~J > > > On 8/18/15 1:55 PM, Rob Crittenden wrote: > > Janelle wrote: > >> Hi, > >> > >> Is there a way to force freeipa web server to accept http requests and > >> not redirect to https? Reason is simple - offloading SSL to a load > >> balancer on the front end. (this is for web only, not the LDAP or > >> Kerberos) > >> > >> Thank you > >> ~J > >> > > > > You could try disabling the rewrite rules to do this in > > /etc/httpd/conf.d/ipa-rewrite.conf. > > > > rob > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
On Tue, 2015-08-18 at 18:01 -0400, Simo Sorce wrote: > The load balancer would have to have the exact same name (for the > clients) as the IPA server, which may be challenging depending on the > network configuration you have. More on that issue here: http://ssimo.org/blog/id_019.html > On Tue, 2015-08-18 at 14:58 -0700, Janelle wrote: > > Tried that -- but it gives a blank screen. I will try playing with it > > some more. At least I know we are thinking in the same ballpark > > Thank you > > ~J > > > > > > On 8/18/15 1:55 PM, Rob Crittenden wrote: > > > Janelle wrote: > > >> Hi, > > >> > > >> Is there a way to force freeipa web server to accept http requests and > > >> not redirect to https? Reason is simple - offloading SSL to a load > > >> balancer on the front end. (this is for web only, not the LDAP or > > >> Kerberos) > > >> > > >> Thank you > > >> ~J > > >> > > > > > > You could try disabling the rewrite rules to do this in > > > /etc/httpd/conf.d/ipa-rewrite.conf. > > > > > > rob > > > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
Tried that -- but it gives a blank screen. I will try playing with it some more. At least I know we are thinking in the same ballpark Thank you ~J On 8/18/15 1:55 PM, Rob Crittenden wrote: Janelle wrote: Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J You could try disabling the rewrite rules to do this in /etc/httpd/conf.d/ipa-rewrite.conf. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa on http?
Janelle wrote: Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J You could try disabling the rewrite rules to do this in /etc/httpd/conf.d/ipa-rewrite.conf. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
