search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
614 stars 259 forks source link

Enable HTTP-Only Access for FreeIPA in freeipa/freeipa-server Container #635

Closed SterhLight closed 2 weeks ago

SterhLight commented 2 weeks ago

Description

I'm trying to configure FreeIPA to operate over HTTP without enforcing HTTPS, using the container image freeipa/freeipa-server version rocky-8-4.9.11. This setup is necessary to allow traffic to pass through an NGINX proxy server that handles SSL termination.

Despite attempts to modify ipa-rewrite.conf to prevent HTTPS redirection, FreeIPA still forces redirects to HTTPS in certain cases. Additionally, when accessing FreeIPA via HTTP at /ipa/ui, the page loads as a blank screen instead of the expected UI.

Configuration Details

Container Image: freeipa/freeipa-server:rocky-8-4.9.11

Current configuration of ipa-rewrite.conf:

# VERSION 7 - DO NOT REMOVE THIS LINE

RewriteEngine on

# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out.
# RewriteRule ^/$ https://ipa.example.local/ipa/ui [L,NC,R=301]

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}    !^ipa.example.local$ [NC]
RewriteCond %{HTTP_HOST}    !^ipa-ca.example.local$ [NC]
RewriteRule ^/ipa/(.*)      http://ipa.example.local/ipa/$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
# RewriteCond %{SERVER_PORT}  !^443$
# RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
# RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
# RewriteRule ^/ipa/(.*)      https://ipa.example.local/ipa/$1 [L,R=301,NC]

RewriteCond %{HTTP_HOST}    ^ipa-ca.example.local$ [NC]
RewriteCond %{REQUEST_URI}  !^/ipa/crl
RewriteCond %{REQUEST_URI}  !^/(ca|kra|pki|acme)
RewriteRule ^/(.*)          https://ipa.example.local/$1 [L,R=301]

# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]

Steps to Reproduce

  1. Run FreeIPA using freeipa/freeipa-server:rocky-8-4.9.11 container.
  2. Modify /etc/httpd/conf.d/ipa-rewrite.conf as shown above to prevent HTTPS redirection.
  3. Restart Apache (httpd) and attempt to access the FreeIPA UI via HTTP at http://ipa.example.local/ipa/ui.

Expected Behavior

FreeIPA web UI should be accessible over HTTP without any HTTPS redirection.

Actual Behavior

Requested Solution

Requesting guidance or support to enable HTTP-only access in FreeIPA running in a container, with HTTPS disabled entirely. Specifically, I'd like:

Thank you for considering this feature request.

abbra commented 2 weeks ago

FreeIPA container project only makes FreeIPA running in a containerised environment. It does not address any of the specifics of FreeIPA operations themselves. Said that, from FreeIPA core develpment team point of view, we do not support and do not plan supporting not encrypted access over HTTP protocol to components that require authentication.

I'm closing this ticket as not planned.

zwets commented 2 weeks ago

Wouldn't it be much simpler anyway to proxy over https?

adelton commented 2 weeks ago

I assume the OP tries to achieve something like https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy. We had people reporting success with that setup in the containerized environment.

I would agree though that the debugging should happen via that "NGINX proxy server that handles SSL termination", not directly from the browser to the http-only backend.

SterhLight commented 2 weeks ago

Wouldn't it be much simpler anyway to proxy over https?

maybe i don't understand what you mean. It is assumed that the certificate is generated by freeipa itself, and a secure connection is established between it and the end user, i.e. nginx has no access to it. I just don't understand how to configure what you are talking about.

SterhLight commented 2 weeks ago

I assume the OP tries to achieve something like https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy. We had people reporting success with that setup in the containerized environment.

I would agree though that the debugging should happen via that "NGINX proxy server that handles SSL termination", not directly from the browser to the http-only backend.

I want to run freeipa in a container environment on a server where other containers are running, accessed through a proxy-nginx. I need that when entering a certain URL, the traffic goes through nginx and gets to freeipa. I think this is a pretty standard scheme when working with many containers.

zwets commented 2 weeks ago

Wouldn't it be much simpler anyway to proxy over https?

maybe i don't understand what you mean. It is assumed that the certificate is generated by freeipa itself, and a secure connection is established between it and the end user, i.e. nginx has no access to it. I just don't understand how to configure what you are talking about.

I don't understand what you mean. All I'm proposing is that rather than try to strip SSL from the FreeIPA container, you leave it as-is and simply proxy to it over https, instead of http, from the reverse proxy.