Not able to open Web UI through host ip address

[GitHanter]

I started the container using following compose.yml

services:
  freeipa:
    hostname: ipa.example.com
    image: freeipa/freeipa-server:fedora-40
    container_name: freeipa-server
    restart: unless-stopped
    cgroup: host
    sysctls:
      net.ipv6.conf.all.disable_ipv6: "0"
    command: 
      - ipa-server-install 
      - --realm=example.com
      - --domain=example.com
      - --ds-password=DirectoryManagerPassword  
      - --admin-password=admin_password
      - --no-host-dns 
      - --no-ntp 
      - --unattended
      - -U
    ports:
     - "389:389"
     - "636:636"
     - "88:88/udp"
     - "88:88/tcp"
     - "464:464/udp"
     - "464:464/tcp"
     - "180:80"
     - "1443:443"
    volumes:
       - ./ipa-data:/data:Z
       - /sys/fs/cgroup/user.slice/user-1000.slice/[email protected]:/sys/fs/cgroup:rw
    environment:
      - IPA_SERVER_IP=10.20.65.5
    extra_hosts:
      - "ipa.example.com:10.20.65.5"
    networks:
      ipa:
        ipv4_address: 10.20.65.5
    cap_add:
      - SYS_TIME

networks:
  ipa:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1300
    ipam:
      config:
        - subnet: "10.20.65.0/24"

my host ip address is 192.168.1.100, I want to access the web ui though http://192.168.1.100:180 or https://192.168.1.100:1443, but it always redirect me to https://ipa.example.com

I check the ipa-data/etc/httpd/conf.d/ipa-rewrite.conf, content as following

# VERSION 7 - DO NOT REMOVE THIS LINE

RewriteEngine on

# By default forward all requests to /ipa. If you don't want IPA
# to be the default on your web server comment this line out.
RewriteRule ^/$ https://ipa.example.com/ipa/ui [L,NC,R=301]

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}    !^ipa.example.com$ [NC]
RewriteCond %{HTTP_HOST}    !^ipa-ca.example.com$ [NC]
RewriteRule ^/ipa/(.*)      http://ipa.example.com/ipa/$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$
RewriteCond %{REQUEST_URI}  !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}  !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$
RewriteRule ^/ipa/(.*)      https://ipa.example.com/ipa/$1 [L,R=301,NC]

RewriteCond %{HTTP_HOST}    ^ipa-ca.example.com$ [NC]
RewriteCond %{REQUEST_URI}  !^/ipa/crl
RewriteCond %{REQUEST_URI}  !^/(ca|kra|pki|acme)
RewriteRule ^/(.*)          https://ipa.example.com/$1 [L,R=301]

# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]

I want to know how to config so that I can access the ipa services(Directory, Web UI) through host ip address, just like many other apps running in docker container

[abbra]

This is not container related. You need to understand what FreeIPA Web UI deals with, though.

FreeIPA uses Kerberos authentication and it also requires HTTPS connection. Kerberos authentication is done by a client (browser in the case of accessing Web UI). The client first requests a Kerberos service ticket from the KDC. It does so by constructing a service Kerberos principal from the target name and a well-known Kerberos service name for that service. For browsers accessing web sites, this would be HTTP/hostname. If KDC knows about that service principal, it will proceed issuing a ticket. If it doesn't, it will reject the request. So what happens here for HTTP/ip-address, is that it will be rejected and Kerberos authentication will not be performed at all because by default FreeIPA does not make HTTP/ip-address aliases to the HTTP/hostname service principal.

Since the connection goes over HTTPS, browser will attempt to validate the TLS certificate a server (FreeIPA web UI) would present as well. TLS certificates that IPA CA issues don't include IP addresses in them as dNSAddress SAN extensions, so browsers will complain that TLS connection cannot be validated as well.

Both of these requirements can be satisfied, sure, by additional configuration:

• add Kerberos principal alias that includes IP address to the corresponding service principal
• add IP address SAN extensions to the HTTP certificate
• update ipa-rewrite.conf to add rules that accept corresponding IP address-based request
• update IPA source code to handle IP address-based requests

However, this is not something we (FreeIPA team) would ever support.

[adelton]

If the OP is okay using login + password for the WebUI authentication, this request looks like https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name to me, even if we never tried it with just an IP address in those investigations.

But I would agree that a much easier approach would be to just make the ipa.example.com resolve to the host IP (and get rid of those port number changes).

[abbra]

Also note that port 443 is absolutely required. There are multiple places in FreeIPA tools where it is hardcoded.

For example (and this list is not exhausting):

• ipa-join tool used by ipa-client-install does hardcode the port
• IPA CA tools configuration hardcodes ports and paths
• ipa-replica-conncheck hardcodes the port

[GitHanter]

@abbra @adelton
Thank you for the detail.
If that is the case, I'll try to add the DNS record to my host file (Or my DNS server), and try to stick to 433 port.