User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 The <Proxy *> directive in ipa.conf should/could be changed to <ProxyMatch ^.*/ipa/ui.*$> so that it doesn't match requests meant for other proxies on the host running the webui. Reproducible: Always Steps to Reproduce: 1. define a new ProxyPass to a new proxy with no associated <Proxy> directive. Actual Results: requests intended for the new ProxyPass are picked up by the ipa Proxy directive. Expected Results: If the request didn't match the ProxyPass and ProxyPassReverse specifically needed for the ipa webui, it shouldn't default to it.
Created attachment 314327 [details] Make Proxy directive wildcard match more specific
master: 8edc9aa8aa9c109aa2c904161985288710748333
The <ProxyMatch> in the ipa.conf file is: <ProxyMatch ^.*/ipa/ui.*$$> Which does not match that in comment #1, <ProxyMatch ^.*/ipa/ui.*$> Please advice. Thanks
Jenny, this file is a template containing variables like $REALM. These are replaced, the $$ is replaced by single $, so what's important is the resulting file that gets installed.
Is this similar to https://bugzilla.redhat.com/show_bug.cgi?id=459209? To verify - try to access a uri that doesn't exist and there should be no redirection? Thanks
Setting this to assigned to get question answered.
No, this one doesn't cover redirection, it covers whether requests should be forwarded to TurboGears. Try this. Create /etc/httpd/conf.d/proxy.conf: ProxyPass /foo http://www.redhat.com/ ProxyPassReverse /foo http://www.redhat.com/ Restart httpd curl -kv https://localhost/foo Should return the contents of http://www.redhat.com/ You can further test with: curl -kv https://your.server.name/ipa/ui It should return the contents of the kerberos login failed screen. And even more: kinit admin@REALM curl -kv --negotiate -u : https://your.server.name/ipa/ui That should do a full connection and you should receive the contents of the main page with full rights.
Thanks Rob
Fix Verified: .../foo returns contents of redhat.com no admin ticket .../ipa/ui returns kerberos login failure contents admin ticket ../ipa/ui returns contents of ipa_webgui page