Bug 459061

Summary: ipa.conf Proxy directive wildcard match not specific enough
Product: [Retired] freeIPA Reporter: Steve Linabery <slinaber>
Component: WebUIAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.1CC: benl, dpal, jgalipea, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:13:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 453489    
Attachments:
Description Flags
Make Proxy directive wildcard match more specific none

Description Steve Linabery 2008-08-14 06:29:17 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16

The <Proxy *> directive in ipa.conf should/could be changed to <ProxyMatch ^.*/ipa/ui.*$> so that it doesn't match requests meant for other proxies on the host running the webui.

Reproducible: Always

Steps to Reproduce:
1. define a new ProxyPass to a new proxy with no associated <Proxy> directive.

Actual Results:  
requests intended for the new ProxyPass are picked up by the ipa Proxy directive.

Expected Results:  
If the request didn't match the ProxyPass and ProxyPassReverse specifically needed for the ipa webui, it shouldn't default to it.

Comment 1 Rob Crittenden 2008-08-14 15:23:49 UTC
Created attachment 314327 [details]
Make Proxy directive wildcard match more specific

Comment 2 Rob Crittenden 2008-08-14 17:52:51 UTC
master: 8edc9aa8aa9c109aa2c904161985288710748333

Comment 3 Jenny Severance 2008-11-25 14:44:06 UTC
The <ProxyMatch> in the ipa.conf file is:  <ProxyMatch ^.*/ipa/ui.*$$>

Which does not match that in comment #1,   <ProxyMatch ^.*/ipa/ui.*$> 

Please advice.
Thanks

Comment 4 Martin Nagy 2008-11-25 21:58:18 UTC
Jenny, this file is a template containing variables like $REALM. These are replaced, the $$ is replaced by single $, so what's important is the resulting file that gets installed.

Comment 5 Jenny Severance 2008-12-01 13:54:20 UTC
Is this similar to https://bugzilla.redhat.com/show_bug.cgi?id=459209?

To verify - try to access a uri that doesn't exist and there should be no redirection?

Thanks

Comment 6 Jenny Severance 2008-12-03 18:29:03 UTC
Setting this to assigned to get question answered.

Comment 7 Rob Crittenden 2008-12-03 19:01:20 UTC
No, this one doesn't cover redirection, it covers whether requests should be forwarded to TurboGears.

Try this. Create /etc/httpd/conf.d/proxy.conf:

ProxyPass /foo http://www.redhat.com/
ProxyPassReverse /foo http://www.redhat.com/

Restart httpd

curl -kv https://localhost/foo

Should return the contents of http://www.redhat.com/

You can further test with:

curl -kv https://your.server.name/ipa/ui

It should return the contents of the kerberos login failed screen.

And even more:

kinit admin@REALM
curl -kv --negotiate -u : https://your.server.name/ipa/ui

That should do a full connection and you should receive the contents of the main page with full rights.

Comment 8 Jenny Severance 2008-12-03 19:28:28 UTC
Thanks Rob

Comment 9 Jenny Severance 2008-12-03 19:52:10 UTC
Fix Verified:

.../foo returns contents of redhat.com

no admin ticket .../ipa/ui returns kerberos login failure contents

admin ticket ../ipa/ui returns contents of ipa_webgui page