-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to configure other valids referrers for HTTPS #7344
base: master
Are you sure you want to change the base?
Conversation
This check was added to protect [against possible CRSF](freeipa@2d6eeb2#diff-21d951ac2d07631c0818b056e289cd02d980b05545f9eabb18b407178da0af0c) However it doesn't works well behind a proxy like [we saw here](haproxy/haproxy#2555 (comment)). This change allow to define multiple valid referers (that would solve the issue) but also related issued https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/ in the precedent message the user have to comment this check to have a working freeipa. Better to accept multiple referers so it works. I remember comment about kerberos might not work for the added domains. Since we don't use kerberos we are not affected. It seems still possible to [configure it](https://freeipa-users.redhat.narkive.com/hClHC8Ny/ipa-server-ui-behind-proxy). User with kerberos won't see change because they will keep using the classical name.
.IP | ||
allowed_referers = ipa.demo1.freeipa.org:443,ipa.demo1.local,ipa.demo1.freeipa.org:443/sub_folder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might not show the sub_folder aspect to be future proof ?
Frankly speaking, I don't like to add a half-baked solution. A proper support for multi-host setup (including reverse proxying) would need to take into account more than just a referrer aliases. Please see https://vda.li/en/posts/2023/08/16/Support-multi-homed-FreeIPA-Server/ for an analysis I did. More comments:
The discussion you are linking to has a reference to my old draft PR (https://github.com/abbra/freeipa/pull/9/files) which implements most part of the aliasing support already.
|
This is actually can be seen in the CI tests:
|
This check was added to protect against possible CRSF
However it doesn't works well behind a proxy like we saw here. This change allow to define multiple valid referers (that would solve the issue) but also related issued https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/ in the precedent message the user have to comment this check to have a working freeipa. Better to accept multiple referers so it works.
I remember comment about kerberos might not work for the added domains. Since we don't use kerberos we are not affected. It seems still possible to configure it.
User with kerberos won't see change because they will keep using the classical name.
possible improvements: