Bug 459061 - ipa.conf Proxy directive wildcard match not specific enough
Summary: ipa.conf Proxy directive wildcard match not specific enough
Alias: None
Product: freeIPA
Classification: Retired
Component: WebUI
Version: 1.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 453489
TreeView+ depends on / blocked
Reported: 2008-08-14 06:29 UTC by Steve Linabery
Modified: 2015-01-04 23:33 UTC (History)
4 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-03-27 07:13:06 UTC

Attachments (Terms of Use)
Make Proxy directive wildcard match more specific (1.28 KB, patch)
2008-08-14 15:23 UTC, Rob Crittenden
no flags Details | Diff

Description Steve Linabery 2008-08-14 06:29:17 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20080702 Firefox/

The <Proxy *> directive in ipa.conf should/could be changed to <ProxyMatch ^.*/ipa/ui.*$> so that it doesn't match requests meant for other proxies on the host running the webui.

Reproducible: Always

Steps to Reproduce:
1. define a new ProxyPass to a new proxy with no associated <Proxy> directive.

Actual Results:  
requests intended for the new ProxyPass are picked up by the ipa Proxy directive.

Expected Results:  
If the request didn't match the ProxyPass and ProxyPassReverse specifically needed for the ipa webui, it shouldn't default to it.

Comment 1 Rob Crittenden 2008-08-14 15:23:49 UTC
Created attachment 314327 [details]
Make Proxy directive wildcard match more specific

Comment 2 Rob Crittenden 2008-08-14 17:52:51 UTC
master: 8edc9aa8aa9c109aa2c904161985288710748333

Comment 3 Jenny Severance 2008-11-25 14:44:06 UTC
The <ProxyMatch> in the ipa.conf file is:  <ProxyMatch ^.*/ipa/ui.*$$>

Which does not match that in comment #1,   <ProxyMatch ^.*/ipa/ui.*$> 

Please advice.

Comment 4 Martin Nagy 2008-11-25 21:58:18 UTC
Jenny, this file is a template containing variables like $REALM. These are replaced, the $$ is replaced by single $, so what's important is the resulting file that gets installed.

Comment 5 Jenny Severance 2008-12-01 13:54:20 UTC
Is this similar to https://bugzilla.redhat.com/show_bug.cgi?id=459209?

To verify - try to access a uri that doesn't exist and there should be no redirection?


Comment 6 Jenny Severance 2008-12-03 18:29:03 UTC
Setting this to assigned to get question answered.

Comment 7 Rob Crittenden 2008-12-03 19:01:20 UTC
No, this one doesn't cover redirection, it covers whether requests should be forwarded to TurboGears.

Try this. Create /etc/httpd/conf.d/proxy.conf:

ProxyPass /foo http://www.redhat.com/
ProxyPassReverse /foo http://www.redhat.com/

Restart httpd

curl -kv https://localhost/foo

Should return the contents of http://www.redhat.com/

You can further test with:

curl -kv https://your.server.name/ipa/ui

It should return the contents of the kerberos login failed screen.

And even more:

kinit admin@REALM
curl -kv --negotiate -u : https://your.server.name/ipa/ui

That should do a full connection and you should receive the contents of the main page with full rights.

Comment 8 Jenny Severance 2008-12-03 19:28:28 UTC
Thanks Rob

Comment 9 Jenny Severance 2008-12-03 19:52:10 UTC
Fix Verified:

.../foo returns contents of redhat.com

no admin ticket .../ipa/ui returns kerberos login failure contents

admin ticket ../ipa/ui returns contents of ipa_webgui page

Note You need to log in before you can comment on or make changes to this bug.