Bug 459061 - ipa.conf Proxy directive wildcard match not specific enough
ipa.conf Proxy directive wildcard match not specific enough
Product: freeIPA
Classification: Community
Component: WebUI (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: 453489
  Show dependency treegraph
Reported: 2008-08-14 02:29 EDT by Steve Linabery
Modified: 2015-01-04 18:33 EST (History)
4 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-27 03:13:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Make Proxy directive wildcard match more specific (1.28 KB, patch)
2008-08-14 11:23 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Steve Linabery 2008-08-14 02:29:17 EDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20080702 Firefox/

The <Proxy *> directive in ipa.conf should/could be changed to <ProxyMatch ^.*/ipa/ui.*$> so that it doesn't match requests meant for other proxies on the host running the webui.

Reproducible: Always

Steps to Reproduce:
1. define a new ProxyPass to a new proxy with no associated <Proxy> directive.

Actual Results:  
requests intended for the new ProxyPass are picked up by the ipa Proxy directive.

Expected Results:  
If the request didn't match the ProxyPass and ProxyPassReverse specifically needed for the ipa webui, it shouldn't default to it.
Comment 1 Rob Crittenden 2008-08-14 11:23:49 EDT
Created attachment 314327 [details]
Make Proxy directive wildcard match more specific
Comment 2 Rob Crittenden 2008-08-14 13:52:51 EDT
master: 8edc9aa8aa9c109aa2c904161985288710748333
Comment 3 Jenny Galipeau 2008-11-25 09:44:06 EST
The <ProxyMatch> in the ipa.conf file is:  <ProxyMatch ^.*/ipa/ui.*$$>

Which does not match that in comment #1,   <ProxyMatch ^.*/ipa/ui.*$> 

Please advice.
Comment 4 Martin Nagy 2008-11-25 16:58:18 EST
Jenny, this file is a template containing variables like $REALM. These are replaced, the $$ is replaced by single $, so what's important is the resulting file that gets installed.
Comment 5 Jenny Galipeau 2008-12-01 08:54:20 EST
Is this similar to https://bugzilla.redhat.com/show_bug.cgi?id=459209?

To verify - try to access a uri that doesn't exist and there should be no redirection?

Comment 6 Jenny Galipeau 2008-12-03 13:29:03 EST
Setting this to assigned to get question answered.
Comment 7 Rob Crittenden 2008-12-03 14:01:20 EST
No, this one doesn't cover redirection, it covers whether requests should be forwarded to TurboGears.

Try this. Create /etc/httpd/conf.d/proxy.conf:

ProxyPass /foo http://www.redhat.com/
ProxyPassReverse /foo http://www.redhat.com/

Restart httpd

curl -kv https://localhost/foo

Should return the contents of http://www.redhat.com/

You can further test with:

curl -kv https://your.server.name/ipa/ui

It should return the contents of the kerberos login failed screen.

And even more:

kinit admin@REALM
curl -kv --negotiate -u : https://your.server.name/ipa/ui

That should do a full connection and you should receive the contents of the main page with full rights.
Comment 8 Jenny Galipeau 2008-12-03 14:28:28 EST
Thanks Rob
Comment 9 Jenny Galipeau 2008-12-03 14:52:10 EST
Fix Verified:

.../foo returns contents of redhat.com

no admin ticket .../ipa/ui returns kerberos login failure contents

admin ticket ../ipa/ui returns contents of ipa_webgui page

Note You need to log in before you can comment on or make changes to this bug.