User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:22.214.171.124) Gecko/20080702 Firefox/126.96.36.199
The <Proxy *> directive in ipa.conf should/could be changed to <ProxyMatch ^.*/ipa/ui.*$> so that it doesn't match requests meant for other proxies on the host running the webui.
Steps to Reproduce:
1. define a new ProxyPass to a new proxy with no associated <Proxy> directive.
requests intended for the new ProxyPass are picked up by the ipa Proxy directive.
If the request didn't match the ProxyPass and ProxyPassReverse specifically needed for the ipa webui, it shouldn't default to it.
Created attachment 314327 [details]
Make Proxy directive wildcard match more specific
The <ProxyMatch> in the ipa.conf file is: <ProxyMatch ^.*/ipa/ui.*$$>
Which does not match that in comment #1, <ProxyMatch ^.*/ipa/ui.*$>
Jenny, this file is a template containing variables like $REALM. These are replaced, the $$ is replaced by single $, so what's important is the resulting file that gets installed.
Is this similar to https://bugzilla.redhat.com/show_bug.cgi?id=459209?
To verify - try to access a uri that doesn't exist and there should be no redirection?
Setting this to assigned to get question answered.
No, this one doesn't cover redirection, it covers whether requests should be forwarded to TurboGears.
Try this. Create /etc/httpd/conf.d/proxy.conf:
ProxyPass /foo http://www.redhat.com/
ProxyPassReverse /foo http://www.redhat.com/
curl -kv https://localhost/foo
Should return the contents of http://www.redhat.com/
You can further test with:
curl -kv https://your.server.name/ipa/ui
It should return the contents of the kerberos login failed screen.
And even more:
curl -kv --negotiate -u : https://your.server.name/ipa/ui
That should do a full connection and you should receive the contents of the main page with full rights.
.../foo returns contents of redhat.com
no admin ticket .../ipa/ui returns kerberos login failure contents
admin ticket ../ipa/ui returns contents of ipa_webgui page