On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > Hi, > > Does anybody have any experience putting the IPA web UI behind a reverse > proxy? In an attempt to allow our users to access the UI without browser > warnings and without having to add the root CA certificate to their trusted > store (there was some resistance to that idea), I set up an nginx server as > a simple reverse proxy. > > Every request returns an "Unable to verify your Kerberos credentials" error > page. The headers returned: > > $ http -h GET https://proxy/ipa > HTTP/1.1 401 Unauthorized > Accept-Ranges: bytes > Connection: keep-alive > Content-Length: 1474 > Content-Type: text/html; charset=UTF-8 > Date: Fri, 24 Apr 2015 18:43:06 GMT > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > Server: nginx/1.4.6 (Ubuntu) > WWW-Authenticate: Negotiate > > I saw this thread from 2013: > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > I'm sending the proper Host and Referer headers by the proxy as specified, > and I modified the Apache rewriting rules to not redirect to the hostname > of the backend IPA server. > > Any ideas how this can be done? > Hi Benjamen,
You could use a 3rd-party certificate (signed by trusted, public CA) for the Web UI; see the guide: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP If you decide to continue with the Web UI behind a reverse proxy, Simo recent blogged about Kerberos authentication issues with this sort of setup; you may find inspiration here: https://ssimo.org/blog/id_019.html Cheers, Fraser > Thanks, > > -- > Benjamen Keroack > *Infrastructure/DevOps Engineer* > [email protected] > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
