Commit edfe2fd3 authored by Fabien Combernous's avatar Fabien Combernous

Merge branch '78-remove-webui_enable_proxy' into 'master'

Resolve "remove webui_enable_proxy"

Closes #78

See merge request !79
parents 5d5f8adf 14c7b478
Pipeline #3787 passed with stages
in 64 minutes and 40 seconds
......@@ -65,8 +65,6 @@ class {'freeipa':
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
humanadmins => {
jdupond => {
ensure => 'present',
......
......@@ -15,7 +15,6 @@ _Public Classes_
_Private Classes_
* `freeipa::config::keytab`: Configures keytab for admin user on FreeIPA master.
* `freeipa::config::webui`: Configures port and redirect overrides for the IPA server web UI.
* `freeipa::install`: Installs the packages needed for servers and clients
* `freeipa::install::client`: Install freeipa client
* `freeipa::install::server`: This class mainly defines options for the ipa install command, then install master or replica regarding the role set.
......@@ -36,10 +35,6 @@ Parameters
Also, triggers the install of the required dns server packages.
and passed to the IPA installer.
and passed to the IPA installer.
requests whose HTTP_HOST variable match the parameter 'webio_proxy_external_fqdn'. This allows the IPA Web UI to work on a
proxied port, while allowing IPA client access to function as normal.
the Web UI to be accessed from different ports and hostnames than the default.
This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard ports.
#### Examples
......@@ -58,8 +53,6 @@ class {'freeipa':
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
}
```
......@@ -328,38 +321,6 @@ Name of the sssdtools package.
Default value: 'sssd-tools'
##### `webui_disable_kerberos`
Data type: `Boolean`
If true, then /etc/httpd/conf.d/ipa.conf is written to exclude kerberos support for incoming
Default value: `false`
##### `webui_enable_proxy`
Data type: `Boolean`
If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows
Default value: `false`
##### `webui_proxy_external_fqdn`
Data type: `Stdlib::Fqdn`
The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
Default value: 'localhost'
##### `webui_proxy_https_port`
Data type: `String`
The HTTPS port to use for the reverse proxy. Cannot be 443.
Default value: '8440'
##### `humanadmins`
Data type: `Freeipa::Humanadmins`
......
# @summary Configures port and redirect overrides for the IPA server web UI.
#
# @example
# include freeipa::config::webui
#
# @api private
#
class freeipa::config::webui {
assert_private()
if $freeipa::webui_enable_proxy {
#ref: https://www.redhat.com/archives/freeipa-users/2016-June/msg00128.html
$proxy_server_internal_fqdn = $freeipa::ipa_server_fqdn
$proxy_server_external_fqdn = $freeipa::webui_proxy_external_fqdn
$proxy_https_port = $freeipa::webui_proxy_https_port
$proxy_server_external_fqdn_and_port = "${proxy_server_external_fqdn}:${proxy_https_port}"
$proxy_internal_uri = "https://${proxy_server_internal_fqdn}"
$proxy_external_uri = "https://${proxy_server_external_fqdn}:${proxy_https_port}"
$proxy_server_name = "https://${freeipa::ipa_server_fqdn}:${proxy_https_port}"
$proxy_referrer_regex = regsubst(
$proxy_external_uri,
'\.',
'\.',
'G',
)
file_line { 'webui_additional_https_port_listener':
ensure => present,
path => '/etc/httpd/conf.d/nss.conf',
line => "Listen ${proxy_https_port}",
after => 'Listen\ 443',
notify => Service['httpd'],
}
file { '/etc/httpd/conf.d/ipa-rewrite.conf':
ensure => present,
replace => true,
content => template('freeipa/ipa-rewrite.conf.erb'),
notify => Service['httpd'],
}
file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
ensure => present,
replace => true,
content => template('freeipa/ipa-webui-proxy.conf.erb'),
notify => Service['httpd'],
}
}
if $freeipa::webui_disable_kerberos {
file_line{'disable_kerberos_via_if_1':
ensure => present,
path => '/etc/httpd/conf.d/ipa.conf',
line => " <If \"%{HTTP_HOST} != '${proxy_server_external_fqdn_and_port}'\">",
notify => Service['httpd'],
after => '^<Location\ "/ipa">$',
}
file_line{'disable_kerberos_via_if_2':
ensure => present,
path => '/etc/httpd/conf.d/ipa.conf',
line => ' </If>',
notify => Service['httpd'],
after => 'ErrorDocument\ 401\ /ipa/errors/unauthorized.html',
}
}
}
......@@ -14,8 +14,6 @@
# enable_hostname => true,
# manage_host_entry => true,
# install_epel => true,
# webui_disable_kerberos => true,
# webui_enable_proxy => true,
# humanadmins => { foo => { password => 'secret123', ensure => 'present'}, bar => { password => 'secret123', ensure => 'present'} },
# }
#
......@@ -58,14 +56,6 @@
# @param server_install_ldaputils If true, then the ldaputils packages are installed if ipa_role is not set to client.
# @param sssd_package_name Name of the sssd package.
# @param sssdtools_package_name Name of the sssdtools package.
# @param webui_disable_kerberos If true, then /etc/httpd/conf.d/ipa.conf is written to exclude kerberos support for incoming
# requests whose HTTP_HOST variable match the parameter 'webio_proxy_external_fqdn'. This allows the IPA Web UI to work on a
# proxied port, while allowing IPA client access to function as normal.
# @param webui_enable_proxy If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows
# the Web UI to be accessed from different ports and hostnames than the default.
# This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard ports.
# @param webui_proxy_external_fqdn The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
# @param webui_proxy_https_port The HTTPS port to use for the reverse proxy. Cannot be 443.
# @param humanadmins Hash of admin accounts in freeipa. Uses the following schema : Hash[ String[1], Struct[{ password => String[1], Optional[ensure] => Enum['present','absent']}]]
# @param install_ca If true, then the parameter '--setup-ca' is passed to the IPA server installer (for replicas)
#
......@@ -113,10 +103,6 @@ class freeipa (
Boolean $server_install_ldaputils = true,
String $sssd_package_name = 'sssd-common',
String $sssdtools_package_name = 'sssd-tools',
Boolean $webui_disable_kerberos = false,
Boolean $webui_enable_proxy = false,
Stdlib::Fqdn $webui_proxy_external_fqdn = 'localhost',
String $webui_proxy_https_port = '8440',
) {
if $facts['kernel'] != 'Linux' or $facts['osfamily'] == 'Windows' {
......
......@@ -92,8 +92,6 @@ class freeipa::install::server {
{ensure => 'running'},
)
contain 'freeipa::config::webui'
service { 'ipa':
ensure => 'running',
enable => true,
......
......@@ -18,8 +18,6 @@ describe 'freeipa class' do
enable_manage_admins => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
humanadmins => {
foo => {
......@@ -114,8 +112,6 @@ describe 'freeipa class' do
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
}
EOS
......@@ -232,8 +228,6 @@ describe 'freeipa class' do
enable_manage_admins => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
humanadmins => {
foo => {
......
require 'spec_helper'
describe 'freeipa::config::webui' do
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:pre_condition) do
manifest = <<-EOS
class{ 'freeipa' :
ipa_role => 'master',
ipa_master_fqdn => 'master.example.lan',
ipa_server_fqdn => 'foo.example.lan',
domain => 'example.lan',
password_usedto_joindomain => 'foobartest',
puppet_admin_password => 'foobartest',
directory_services_password => 'foobartest',
ip_address => '10.10.10.35',
}
EOS
manifest
end
let(:facts) { os_facts }
it { is_expected.to compile }
end
end
end
......@@ -24,7 +24,6 @@ describe 'freeipa', type: :class do
it { is_expected.to contain_class('freeipa::install::server') }
it { is_expected.to contain_class('freeipa::install::sssd') }
it { is_expected.to contain_class('freeipa::install::server::master') }
it { is_expected.to contain_class('freeipa::config::webui') }
it { is_expected.not_to contain_class('freeipa::install::autofs') }
it { is_expected.not_to contain_class('freeipa::install::server::replica') }
......@@ -60,7 +59,6 @@ describe 'freeipa', type: :class do
it { is_expected.to contain_class('freeipa::install::server') }
it { is_expected.to contain_class('freeipa::install::sssd') }
it { is_expected.to contain_class('freeipa::install::server::replica') }
it { is_expected.to contain_class('freeipa::config::webui') }
it { is_expected.not_to contain_class('freeipa::install::autofs') }
it { is_expected.not_to contain_class('freeipa::install::server::master') }
......@@ -102,7 +100,6 @@ describe 'freeipa', type: :class do
it { is_expected.not_to contain_class('freeipa::install::server') }
it { is_expected.not_to contain_class('freeipa::install::server::master') }
it { is_expected.not_to contain_class('freeipa::install::server::replica') }
it { is_expected.not_to contain_class('freeipa::config::webui') }
if facts[:os]['family'] == 'Debian'
it { is_expected.to contain_package('freeipa-client') }
......
# VERSION 6 - DO NOT REMOVE THIS LINE
# ref: https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
RewriteEngine on
# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out.
RewriteRule ^/$ <%= @proxy_internal_uri %>/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST} !^<%= @proxy_server_internal_fqdn %>$ [NC]
RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301]
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
# RewriteCond %{SERVER_PORT} !^443$
# RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
# RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
# RewriteRule ^/ipa/(.*) <%= @proxy_internal_uri %>/ipa/$1 [L,R=301,NC]
# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$ /ipa/wsgi/plugins.py [PT]
<%= @template_referrer_line %>
RequestHeader edit Referer ^<%= @proxy_referrer_regex %>/ <%= @proxy_internal_uri %>/
<VirtualHost _default_:<%= @proxy_https_port %>>
NSSEngine on
NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
NSSProxyEngine On
NSSProxyCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_gcm_sha_384,+rsa_aes_256_sha
ProxyRequests Off
ServerName <%= @proxy_server_name %>
ProxyPass / https://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverse / https://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverse / http://<%= @proxy_server_internal_fqdn %>/
ProxyPassReverseCookieDomain <%= @proxy_server_internal_fqdn %> <%= @proxy_server_external_fqdn %>
</VirtualHost>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment