Commit 14c7b478 authored by Scott Barthelemy's avatar Scott Barthelemy

Remove useless templates. Update README.md and REFERENCE.md

parent 62e6d78e
Pipeline #3712 passed with stages
in 63 minutes and 44 seconds
......@@ -65,8 +65,6 @@ class {'freeipa':
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
humanadmins => {
jdupond => {
ensure => 'present',
......
......@@ -15,7 +15,6 @@ _Public Classes_
_Private Classes_
* `freeipa::config::keytab`: Configures keytab for admin user on FreeIPA master.
* `freeipa::config::webui`: Configures port and redirect overrides for the IPA server web UI.
* `freeipa::install`: Installs the packages needed for servers and clients
* `freeipa::install::client`: Install freeipa client
* `freeipa::install::server`: This class mainly defines options for the ipa install command, then install master or replica regarding the role set.
......@@ -36,10 +35,6 @@ Parameters
Also, triggers the install of the required dns server packages.
and passed to the IPA installer.
and passed to the IPA installer.
requests whose HTTP_HOST variable match the parameter 'webio_proxy_external_fqdn'. This allows the IPA Web UI to work on a
proxied port, while allowing IPA client access to function as normal.
the Web UI to be accessed from different ports and hostnames than the default.
This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard ports.
#### Examples
......@@ -58,8 +53,6 @@ class {'freeipa':
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
}
```
......@@ -328,38 +321,6 @@ Name of the sssdtools package.
Default value: 'sssd-tools'
##### `webui_disable_kerberos`
Data type: `Boolean`
If true, then /etc/httpd/conf.d/ipa.conf is written to exclude kerberos support for incoming
Default value: `false`
##### `webui_enable_proxy`
Data type: `Boolean`
If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows
Default value: `false`
##### `webui_proxy_external_fqdn`
Data type: `Stdlib::Fqdn`
The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
Default value: 'localhost'
##### `webui_proxy_https_port`
Data type: `String`
The HTTPS port to use for the reverse proxy. Cannot be 443.
Default value: '8440'
##### `humanadmins`
Data type: `Freeipa::Humanadmins`
......
# VERSION 6 - DO NOT REMOVE THIS LINE
# ref: https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
RewriteEngine on
# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out.
RewriteRule ^/$ <%= @proxy_internal_uri %>/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST} !^<%= @proxy_server_internal_fqdn %>$ [NC]
RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301]
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
# RewriteCond %{SERVER_PORT} !^443$
# RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
# RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
# RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301,NC]
# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT]
<%= @template_referrer_line %>
RequestHeader edit Referer ^<%= @proxy_referrer_regex %>/ <%= @proxy_internal_uri %>/
<VirtualHost _default_:<%= @proxy_https_port %>>
NSSEngine on
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
NSSProxyEngine On
NSSProxyCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
ProxyRequests Off
ServerName <%= @proxy_server_name %>
ProxyPass / https://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverse / https://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverse / http://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverseCookieDomain <%= @proxy_server_internal_fqdn %> <%= @proxy_server_external_fqdn %>
</VirtualHost>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment